scripts/setup-de-vds.sh

#!/bin/bash
set -e

# Setup script for DE VDS (Exit Node)
# Run this script as root on the DE VDS server

echo "========================================="
echo "DE VDS (Exit Node) Setup"
echo "========================================="
echo ""

# Check if running as root
if [ "$EUID" -ne 0 ]; then
    echo "ERROR: Please run as root"
    exit 1
fi

echo "[1/7] Updating system packages..."
apt update
apt upgrade -y

echo "[2/7] Installing required packages..."
apt install -y wireguard nftables iptables

echo "[3/7] Enabling IP forwarding..."
cat > /etc/sysctl.d/99-vpn.conf << 'EOF'
# Enable IP forwarding for VPN
net.ipv4.ip_forward = 1
EOF
sysctl -p /etc/sysctl.d/99-vpn.conf

echo "[4/7] Generating WireGuard keys..."
mkdir -p /etc/wireguard/keys
chmod 700 /etc/wireguard/keys
wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub
chmod 600 /etc/wireguard/keys/*

echo "[5/7] Creating WireGuard configuration..."
cat > /etc/wireguard/wg0.conf << 'EOF'
[Interface]
Address = 10.20.0.2/30
ListenPort = 51821
PrivateKey = __DE_SERVER_PRIVATE_KEY__
PostUp = nft -f /etc/nftables.conf
PostDown = nft flush ruleset

[Peer]
# RU VDS (server tunnel)
PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__
AllowedIPs = 10.20.0.1/32, 10.10.0.0/24
EOF

# Replace private key placeholder
PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf

echo "[6/7] Creating nftables configuration..."
cat > /etc/nftables.conf << 'EOF'
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established connections
        ct state established,related accept

        # Allow loopback
        iif lo accept

        # Allow SSH (adjust port if needed)
        tcp dport 22 accept

        # Allow WireGuard from RU VDS only
        ip saddr 176.124.216.197 udp dport 51821 accept

        # Allow ICMP
        icmp type echo-request accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow forwarding from VPN
        iifname "wg0" accept

        # Allow established connections back
        ct state established,related accept
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

table inet nat {
    chain postrouting {
        type nat hook postrouting priority 100;

        # NAT traffic from VPN to internet
        oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade
    }
}
EOF

chmod +x /etc/nftables.conf

echo "[7/7] Enabling services..."
systemctl enable nftables
systemctl enable wg-quick@wg0

echo ""
echo "========================================="
echo "Setup completed!"
echo "========================================="
echo ""
echo "IMPORTANT: Next steps"
echo ""
echo "1. Your DE VDS public key is:"
echo ""
cat /etc/wireguard/keys/server.pub
echo ""
echo "2. You need to get the RU VDS public key (from de-tunnel.pub)"
echo ""
echo "3. Edit /etc/wireguard/wg0.conf and replace:"
echo "   __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key"
echo ""
echo "4. Start the services:"
echo "   systemctl start nftables"
echo "   systemctl start wg-quick@wg0"
echo ""
echo "5. Verify the tunnel:"
echo "   wg show"
echo "   ping 10.20.0.1"
echo ""
Init 2026-02-02 20:11:05 +03:00			`#!/bin/bash`
			`set -e`

			`# Setup script for DE VDS (Exit Node)`
			`# Run this script as root on the DE VDS server`

			`echo "========================================="`
			`echo "DE VDS (Exit Node) Setup"`
			`echo "========================================="`
			`echo ""`

			`# Check if running as root`
			`if [ "$EUID" -ne 0 ]; then`
			`echo "ERROR: Please run as root"`
			`exit 1`
			`fi`

			`echo "[1/7] Updating system packages..."`
			`apt update`
			`apt upgrade -y`

			`echo "[2/7] Installing required packages..."`
			`apt install -y wireguard nftables iptables`

			`echo "[3/7] Enabling IP forwarding..."`
			`cat > /etc/sysctl.d/99-vpn.conf << 'EOF'`
			`# Enable IP forwarding for VPN`
			`net.ipv4.ip_forward = 1`
			`EOF`
			`sysctl -p /etc/sysctl.d/99-vpn.conf`

			`echo "[4/7] Generating WireGuard keys..."`
			`mkdir -p /etc/wireguard/keys`
			`chmod 700 /etc/wireguard/keys`
			`wg genkey \| tee /etc/wireguard/keys/server.key \| wg pubkey > /etc/wireguard/keys/server.pub`
			`chmod 600 /etc/wireguard/keys/*`

			`echo "[5/7] Creating WireGuard configuration..."`
			`cat > /etc/wireguard/wg0.conf << 'EOF'`
			`[Interface]`
			`Address = 10.20.0.2/30`
			`ListenPort = 51821`
			`PrivateKey = __DE_SERVER_PRIVATE_KEY__`
			`PostUp = nft -f /etc/nftables.conf`
			`PostDown = nft flush ruleset`

			`[Peer]`
			`# RU VDS (server tunnel)`
			`PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__`
			`AllowedIPs = 10.20.0.1/32, 10.10.0.0/24`
			`EOF`

			`# Replace private key placeholder`
			`PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)`
			`sed -i "s\|__DE_SERVER_PRIVATE_KEY__\|${PRIVATE_KEY}\|g" /etc/wireguard/wg0.conf`

			`echo "[6/7] Creating nftables configuration..."`
			`cat > /etc/nftables.conf << 'EOF'`
			`#!/usr/sbin/nft -f`

			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`# Allow established connections`
			`ct state established,related accept`

			`# Allow loopback`
			`iif lo accept`

			`# Allow SSH (adjust port if needed)`
			`tcp dport 22 accept`

			`# Allow WireGuard from RU VDS only`
			`ip saddr 176.124.216.197 udp dport 51821 accept`

			`# Allow ICMP`
			`icmp type echo-request accept`
			`}`

			`chain forward {`
			`type filter hook forward priority 0; policy drop;`

			`# Allow forwarding from VPN`
			`iifname "wg0" accept`

			`# Allow established connections back`
			`ct state established,related accept`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`

			`table inet nat {`
			`chain postrouting {`
			`type nat hook postrouting priority 100;`

			`# NAT traffic from VPN to internet`
			`oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade`
			`}`
			`}`
			`EOF`

			`chmod +x /etc/nftables.conf`

			`echo "[7/7] Enabling services..."`
			`systemctl enable nftables`
			`systemctl enable wg-quick@wg0`

			`echo ""`
			`echo "========================================="`
			`echo "Setup completed!"`
			`echo "========================================="`
			`echo ""`
			`echo "IMPORTANT: Next steps"`
			`echo ""`
			`echo "1. Your DE VDS public key is:"`
			`echo ""`
			`cat /etc/wireguard/keys/server.pub`
			`echo ""`
			`echo "2. You need to get the RU VDS public key (from de-tunnel.pub)"`
			`echo ""`
			`echo "3. Edit /etc/wireguard/wg0.conf and replace:"`
			`echo " __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key"`
			`echo ""`
			`echo "4. Start the services:"`
			`echo " systemctl start nftables"`
			`echo " systemctl start wg-quick@wg0"`
			`echo ""`
			`echo "5. Verify the tunnel:"`
			`echo " wg show"`
			`echo " ping 10.20.0.1"`
			`echo ""`