PRE_DEPLOYMENT_CHECKLIST.md

# Pre-Deployment Checklist

Complete this checklist before deploying to production servers.

## Infrastructure Verification

### RU VDS (176.124.216.197)

- [ ] Can SSH into server: `ssh root@176.124.216.197`
- [ ] Have root access: `sudo -i` or logged in as root
- [ ] Server is Debian 12 (or compatible): `cat /etc/debian_version`
- [ ] Adequate resources:
  - [ ] At least 1GB RAM: `free -h`
  - [ ] At least 5GB free disk: `df -h`
  - [ ] CPU is reasonable: `lscpu`
- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
- [ ] Can resolve DNS: `nslookup google.com`
- [ ] Port 51820/udp not in use: `ss -ulnp | grep 51820` (should be empty)
- [ ] Port 53 not in use by another service: `ss -ulnp | grep :53` (or just systemd-resolved)

### DE VDS (194.31.173.178)

- [ ] Can SSH into server: `ssh root@194.31.173.178`
- [ ] Have root access: `sudo -i` or logged in as root
- [ ] Server is Debian 13 (or compatible): `cat /etc/debian_version`
- [ ] Adequate resources:
  - [ ] At least 512MB RAM: `free -h`
  - [ ] At least 5GB free disk: `df -h`
  - [ ] CPU is reasonable: `lscpu`
- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
- [ ] Can resolve DNS: `nslookup google.com`
- [ ] Port 51821/udp not in use: `ss -ulnp | grep 51821` (should be empty)

### Network Connectivity

- [ ] RU VDS can reach DE VDS: `ping -c 4 194.31.173.178` (from RU VDS)
- [ ] DE VDS can reach RU VDS: `ping -c 4 176.124.216.197` (from DE VDS)
- [ ] No firewall blocking UDP between servers (if any external firewall exists)

## Security Preparation

### SSH Access

- [ ] Have backup SSH access method (console access, VNC, etc.)
- [ ] Know how to access server if SSH breaks
- [ ] Current SSH session is stable
- [ ] Consider opening second SSH session before making changes

### Firewall Considerations

- [ ] Understand current firewall setup (if any): `iptables -L -n` or `nft list ruleset`
- [ ] Have documented how to disable firewall if something goes wrong
- [ ] Won't lock yourself out when applying new firewall rules

### Backup Current State

- [ ] Backup current network config: `cp /etc/network/interfaces /root/interfaces.backup` (if applicable)
- [ ] Backup current SSH config: `cp /etc/ssh/sshd_config /root/sshd_config.backup`
- [ ] Know how to rollback changes if needed

## Client Device Preparation

- [ ] Have at least one device to test VPN client
- [ ] WireGuard app installed on test device:
  - iOS/Android: WireGuard app from App Store/Play Store
  - Windows: WireGuard from wireguard.com
  - macOS: WireGuard from App Store or wireguard.com
  - Linux: `apt install wireguard-tools`
- [ ] Device can scan QR codes (for mobile) or can copy/paste config text

## Tools and Access

### Local Machine

- [ ] Have SSH access from local machine to both servers
- [ ] Can copy files via SCP: `scp test.txt root@176.124.216.197:/tmp/` works
- [ ] Have text editor ready for editing configs
- [ ] Have terminal with multiple tabs/windows open

### Required Information

- [ ] DE VDS IP: 194.31.173.178 (confirmed)
- [ ] RU VDS IP: 176.124.216.197 (confirmed)
- [ ] Root password or SSH keys for both servers
- [ ] Know which local device will be first test client

## Time and Planning

- [ ] Have allocated 1-2 hours for deployment
- [ ] Not during critical business hours (in case of issues)
- [ ] Have time for troubleshooting if needed
- [ ] Not in a rush

## Documentation Review

- [ ] Read QUICKSTART.md overview
- [ ] Reviewed DEPLOYMENT.md deployment steps
- [ ] Know where to find troubleshooting info (DEPLOYMENT.md)
- [ ] Have TESTING.md ready for post-deployment tests

## Script Verification

### Check scripts are ready

```bash
cd /home/mish/vpn.git
ls -la scripts/
```

Should see:
- [ ] setup-de-vds.sh (executable)
- [ ] setup-ru-vds.sh (executable)
- [ ] add-client.sh (executable)
- [ ] disable-client.sh (executable)
- [ ] enable-client.sh (executable)
- [ ] remove-client.sh (executable)
- [ ] list-clients.sh (executable)

## Configuration Files Check

```bash
cd /home/mish/vpn.git
ls -la configs/de-vds/
ls -la configs/ru-vds/
```

Should see all required config files.

## Risk Assessment

### Understand the risks

- [ ] Understand that changes will be made to network configuration
- [ ] Understand that firewall rules will be modified
- [ ] Understand that new services will be installed
- [ ] Have rollback plan if things go wrong
- [ ] Won't lose access to servers (have console/recovery access)

### Rollback Plan

If something goes wrong:

**DE VDS:**
```bash
# Stop services
systemctl stop wg-quick@wg0
systemctl stop nftables

# Flush firewall
nft flush ruleset
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Default accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
```

**RU VDS:**
```bash
# Stop services
systemctl stop wg-quick@wg0
systemctl stop wg-quick@wg1
systemctl stop dnsmasq

# Start systemd-resolved if it was stopped
systemctl start systemd-resolved

# Flush firewall (same as above)
nft flush ruleset
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
```

## Post-Deployment Preparation

- [ ] Have notepad ready to save:
  - DE VDS public key
  - RU VDS server public key
  - RU VDS DE tunnel public key
- [ ] Ready to run tests from TESTING.md
- [ ] Have client device ready for connection test

## Final Verification

- [ ] All above items checked
- [ ] Confident to proceed
- [ ] Have time allocated
- [ ] No critical dependencies on servers right now
- [ ] Ready to start deployment

---

## Ready to Deploy?

If all items are checked, proceed to:

1. **QUICKSTART.md** - For rapid deployment
2. **DEPLOYMENT.md** - For detailed deployment guide

## Need More Info?

- Architecture details → README.md
- Implementation steps → IMPLEMENTATION.md
- Testing procedures → TESTING.md

---

## Deployment Day Checklist

### Morning of deployment

- [ ] Verify servers are accessible
- [ ] Verify servers are up-to-date: `apt update && apt list --upgradable`
- [ ] Create snapshot/backup if available from hosting provider
- [ ] Notify anyone who might be affected

### During deployment

- [ ] Follow DEPLOYMENT.md step by step
- [ ] Don't skip verification steps
- [ ] Test after each major phase
- [ ] Document any issues or deviations

### After deployment

- [ ] Complete all tests from TESTING.md
- [ ] Verify client can connect
- [ ] Verify routing is correct
- [ ] Document any configuration changes made
- [ ] Save all keys securely

---

## Emergency Contacts

Document here:

- VDS provider support: _______________________
- Backup admin contact: _______________________
- Your remote access method: _______________________

---

**Date completed:** _______________

**Completed by:** _______________

**Ready to proceed:** ☐ Yes ☐ No

**If No, blockers:**
_________________________________
_________________________________
_________________________________
Init 2026-02-02 20:11:05 +03:00			`# Pre-Deployment Checklist`

			`Complete this checklist before deploying to production servers.`

			`## Infrastructure Verification`

			`### RU VDS (176.124.216.197)`

			- [ ] Can SSH into server: `ssh root@176.124.216.197`
			- [ ] Have root access: `sudo -i` or logged in as root
			- [ ] Server is Debian 12 (or compatible): `cat /etc/debian_version`
			`- [ ] Adequate resources:`
			- [ ] At least 1GB RAM: `free -h`
			- [ ] At least 5GB free disk: `df -h`
			- [ ] CPU is reasonable: `lscpu`
			- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
			- [ ] Can resolve DNS: `nslookup google.com`
			- [ ] Port 51820/udp not in use: `ss -ulnp \| grep 51820` (should be empty)
			- [ ] Port 53 not in use by another service: `ss -ulnp \| grep :53` (or just systemd-resolved)

			`### DE VDS (194.31.173.178)`

			- [ ] Can SSH into server: `ssh root@194.31.173.178`
			- [ ] Have root access: `sudo -i` or logged in as root
			- [ ] Server is Debian 13 (or compatible): `cat /etc/debian_version`
			`- [ ] Adequate resources:`
			- [ ] At least 512MB RAM: `free -h`
			- [ ] At least 5GB free disk: `df -h`
			- [ ] CPU is reasonable: `lscpu`
			- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
			- [ ] Can resolve DNS: `nslookup google.com`
			- [ ] Port 51821/udp not in use: `ss -ulnp \| grep 51821` (should be empty)

			`### Network Connectivity`

			- [ ] RU VDS can reach DE VDS: `ping -c 4 194.31.173.178` (from RU VDS)
			- [ ] DE VDS can reach RU VDS: `ping -c 4 176.124.216.197` (from DE VDS)
			`- [ ] No firewall blocking UDP between servers (if any external firewall exists)`

			`## Security Preparation`

			`### SSH Access`

			`- [ ] Have backup SSH access method (console access, VNC, etc.)`
			`- [ ] Know how to access server if SSH breaks`
			`- [ ] Current SSH session is stable`
			`- [ ] Consider opening second SSH session before making changes`

			`### Firewall Considerations`

			- [ ] Understand current firewall setup (if any): `iptables -L -n` or `nft list ruleset`
			`- [ ] Have documented how to disable firewall if something goes wrong`
			`- [ ] Won't lock yourself out when applying new firewall rules`

			`### Backup Current State`

			- [ ] Backup current network config: `cp /etc/network/interfaces /root/interfaces.backup` (if applicable)
			- [ ] Backup current SSH config: `cp /etc/ssh/sshd_config /root/sshd_config.backup`
			`- [ ] Know how to rollback changes if needed`

			`## Client Device Preparation`

			`- [ ] Have at least one device to test VPN client`
			`- [ ] WireGuard app installed on test device:`
			`- iOS/Android: WireGuard app from App Store/Play Store`
			`- Windows: WireGuard from wireguard.com`
			`- macOS: WireGuard from App Store or wireguard.com`
			- Linux: `apt install wireguard-tools`
			`- [ ] Device can scan QR codes (for mobile) or can copy/paste config text`

			`## Tools and Access`

			`### Local Machine`

			`- [ ] Have SSH access from local machine to both servers`
			- [ ] Can copy files via SCP: `scp test.txt root@176.124.216.197:/tmp/` works
			`- [ ] Have text editor ready for editing configs`
			`- [ ] Have terminal with multiple tabs/windows open`

			`### Required Information`

			`- [ ] DE VDS IP: 194.31.173.178 (confirmed)`
			`- [ ] RU VDS IP: 176.124.216.197 (confirmed)`
			`- [ ] Root password or SSH keys for both servers`
			`- [ ] Know which local device will be first test client`

			`## Time and Planning`

			`- [ ] Have allocated 1-2 hours for deployment`
			`- [ ] Not during critical business hours (in case of issues)`
			`- [ ] Have time for troubleshooting if needed`
			`- [ ] Not in a rush`

			`## Documentation Review`

			`- [ ] Read QUICKSTART.md overview`
			`- [ ] Reviewed DEPLOYMENT.md deployment steps`
			`- [ ] Know where to find troubleshooting info (DEPLOYMENT.md)`
			`- [ ] Have TESTING.md ready for post-deployment tests`

			`## Script Verification`

			`### Check scripts are ready`

			```bash
			`cd /home/mish/vpn.git`
			`ls -la scripts/`
			```

			`Should see:`
			`- [ ] setup-de-vds.sh (executable)`
			`- [ ] setup-ru-vds.sh (executable)`
			`- [ ] add-client.sh (executable)`
			`- [ ] disable-client.sh (executable)`
			`- [ ] enable-client.sh (executable)`
			`- [ ] remove-client.sh (executable)`
			`- [ ] list-clients.sh (executable)`

			`## Configuration Files Check`

			```bash
			`cd /home/mish/vpn.git`
			`ls -la configs/de-vds/`
			`ls -la configs/ru-vds/`
			```

			`Should see all required config files.`

			`## Risk Assessment`

			`### Understand the risks`

			`- [ ] Understand that changes will be made to network configuration`
			`- [ ] Understand that firewall rules will be modified`
			`- [ ] Understand that new services will be installed`
			`- [ ] Have rollback plan if things go wrong`
			`- [ ] Won't lose access to servers (have console/recovery access)`

			`### Rollback Plan`

			`If something goes wrong:`

			`DE VDS:`
			```bash
			`# Stop services`
			`systemctl stop wg-quick@wg0`
			`systemctl stop nftables`

			`# Flush firewall`
			`nft flush ruleset`
			`iptables -F`
			`iptables -X`
			`iptables -t nat -F`
			`iptables -t nat -X`

			`# Default accept`
			`iptables -P INPUT ACCEPT`
			`iptables -P FORWARD ACCEPT`
			`iptables -P OUTPUT ACCEPT`
			```

			`RU VDS:`
			```bash
			`# Stop services`
			`systemctl stop wg-quick@wg0`
			`systemctl stop wg-quick@wg1`
			`systemctl stop dnsmasq`

			`# Start systemd-resolved if it was stopped`
			`systemctl start systemd-resolved`

			`# Flush firewall (same as above)`
			`nft flush ruleset`
			`iptables -F`
			`iptables -X`
			`iptables -t nat -F`
			`iptables -t nat -X`
			`iptables -P INPUT ACCEPT`
			`iptables -P FORWARD ACCEPT`
			`iptables -P OUTPUT ACCEPT`
			```

			`## Post-Deployment Preparation`

			`- [ ] Have notepad ready to save:`
			`- DE VDS public key`
			`- RU VDS server public key`
			`- RU VDS DE tunnel public key`
			`- [ ] Ready to run tests from TESTING.md`
			`- [ ] Have client device ready for connection test`

			`## Final Verification`

			`- [ ] All above items checked`
			`- [ ] Confident to proceed`
			`- [ ] Have time allocated`
			`- [ ] No critical dependencies on servers right now`
			`- [ ] Ready to start deployment`

			`---`

			`## Ready to Deploy?`

			`If all items are checked, proceed to:`

			`1. QUICKSTART.md - For rapid deployment`
			`2. DEPLOYMENT.md - For detailed deployment guide`

			`## Need More Info?`

			`- Architecture details → README.md`
			`- Implementation steps → IMPLEMENTATION.md`
			`- Testing procedures → TESTING.md`

			`---`

			`## Deployment Day Checklist`

			`### Morning of deployment`

			`- [ ] Verify servers are accessible`
			- [ ] Verify servers are up-to-date: `apt update && apt list --upgradable`
			`- [ ] Create snapshot/backup if available from hosting provider`
			`- [ ] Notify anyone who might be affected`

			`### During deployment`

			`- [ ] Follow DEPLOYMENT.md step by step`
			`- [ ] Don't skip verification steps`
			`- [ ] Test after each major phase`
			`- [ ] Document any issues or deviations`

			`### After deployment`

			`- [ ] Complete all tests from TESTING.md`
			`- [ ] Verify client can connect`
			`- [ ] Verify routing is correct`
			`- [ ] Document any configuration changes made`
			`- [ ] Save all keys securely`

			`---`

			`## Emergency Contacts`

			`Document here:`

			`- VDS provider support: _______________________`
			`- Backup admin contact: _______________________`
			`- Your remote access method: _______________________`

			`---`

			`Date completed: _______________`

			`Completed by: _______________`

			`Ready to proceed: ☐ Yes ☐ No`

			`If No, blockers:`
			`_________________________________`
			`_________________________________`
			`_________________________________`