Add .env configuration for easy environment customization

- Create .env.example with all configurable settings:
  - Server IPs (RU_VDS_IP, DE_VDS_IP)
  - WireGuard ports (WG_CLIENT_PORT, WG_TUNNEL_PORT)
  - VPN networks (USER_VPN_NETWORK, TUNNEL_NETWORK)
  - DNS settings, SSH port, timeouts
- Add .gitignore to exclude .env from version control
- Update setup-ru-vds.sh to read from .env
- Update setup-de-vds.sh to read from .env
- Update add-client.sh to use configuration
- Setup scripts save config to /etc/wireguard/vpn.conf for runtime use
- Update documentation with .env usage instructions

This allows easy deployment to test environments by simply
changing values in .env before running setup scripts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

scripts/setup-ru-vds.sh

@@ -9,11 +9,50 @@ set -e
 # - dnsmasq for DNS resolution
 # - nftables for firewall and routing
 # - Policy routing for split-tunnel VPN
+#
+# Configuration is loaded from .env file (copy from .env.example)
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ENV_FILE="${SCRIPT_DIR}/../.env"
+
+# Load configuration
+if [ -f "$ENV_FILE" ]; then
+    source "$ENV_FILE"
+    echo "Loaded configuration from .env"
+else
+    echo "WARNING: .env file not found at $ENV_FILE"
+    echo "Using default values. Copy .env.example to .env to customize."
+    echo ""
+fi
+
+# Default values (used if .env not present or variable not set)
+: "${RU_VDS_IP:=176.124.216.197}"
+: "${DE_VDS_IP:=194.31.173.178}"
+: "${WG_CLIENT_PORT:=51820}"
+: "${WG_TUNNEL_PORT:=51821}"
+: "${USER_VPN_NETWORK:=10.10.0.0/24}"
+: "${USER_VPN_GATEWAY:=10.10.0.1}"
+: "${TUNNEL_NETWORK:=10.20.0.0/30}"
+: "${TUNNEL_RU_IP:=10.20.0.1}"
+: "${TUNNEL_DE_IP:=10.20.0.2}"
+: "${DNS_UPSTREAM_1:=8.8.8.8}"
+: "${DNS_UPSTREAM_2:=8.8.4.4}"
+: "${DNS_UPSTREAM_3:=1.1.1.1}"
+: "${SSH_PORT:=22}"
+: "${NFT_SET_TIMEOUT:=6h}"
+: "${WG_KEEPALIVE:=25}"
+: "${DNS_CACHE_SIZE:=10000}"
 
 echo "========================================="
 echo "RU VDS (Gateway) Setup"
 echo "========================================="
 echo ""
+echo "Configuration:"
+echo "  RU VDS IP: $RU_VDS_IP"
+echo "  DE VDS IP: $DE_VDS_IP"
+echo "  User VPN: $USER_VPN_NETWORK (gateway: $USER_VPN_GATEWAY)"
+echo "  Tunnel: $TUNNEL_RU_IP <-> $TUNNEL_DE_IP"
+echo ""
 
 # Check if running as root
 if [ "$EUID" -ne 0 ]; then
@@ -63,10 +102,10 @@ fi
 echo "[7/11] Creating WireGuard configurations..."
 
 # wg0 - user-facing
-cat > /etc/wireguard/wg0.conf << 'EOF'
+cat > /etc/wireguard/wg0.conf << EOF
 [Interface]
-Address = 10.10.0.1/24
-ListenPort = 51820
+Address = ${USER_VPN_GATEWAY}/24
+ListenPort = ${WG_CLIENT_PORT}
 PrivateKey = __RU_SERVER_PRIVATE_KEY__
 PostUp = /etc/wireguard/postup.sh
 PostDown = /etc/wireguard/postdown.sh
@@ -80,17 +119,17 @@ PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
 sed -i "s|__RU_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf
 
 # wg1 - DE tunnel
-cat > /etc/wireguard/wg1.conf << 'EOF'
+cat > /etc/wireguard/wg1.conf << EOF
 [Interface]
-Address = 10.20.0.1/30
+Address = ${TUNNEL_RU_IP}/30
 PrivateKey = __RU_DE_TUNNEL_PRIVATE_KEY__
 
 [Peer]
 # DE VDS (exit node)
 PublicKey = __DE_SERVER_PUBLIC_KEY__
-Endpoint = 194.31.173.178:51821
-AllowedIPs = 10.10.0.0/24
-PersistentKeepalive = 25
+Endpoint = ${DE_VDS_IP}:${WG_TUNNEL_PORT}
+AllowedIPs = ${USER_VPN_NETWORK}
+PersistentKeepalive = ${WG_KEEPALIVE}
 EOF
 
 # Replace private key placeholder
@@ -100,7 +139,7 @@ sed -i "s|__RU_DE_TUNNEL_PRIVATE_KEY__|${DE_TUNNEL_KEY}|g" /etc/wireguard/wg1.co
 echo "[8/11] Creating WireGuard helper scripts..."
 
 # PostUp script
-cat > /etc/wireguard/postup.sh << 'EOF'
+cat > /etc/wireguard/postup.sh << EOF
 #!/bin/bash
 set -e
 
@@ -113,16 +152,16 @@ set -e
 nft -f /etc/nftables.conf
 
 # Add default route via DE tunnel for 'proxy' table
-ip route add default via 10.20.0.2 dev wg1 table proxy 2>/dev/null || true
+ip route add default via ${TUNNEL_DE_IP} dev wg1 table proxy 2>/dev/null || true
 
 # Policy routing: packets with fwmark 0x1 use 'proxy' table
-ip rule add from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
+ip rule add from ${USER_VPN_NETWORK} fwmark 0x1 table proxy priority 100 2>/dev/null || true
 
 echo "PostUp script completed successfully"
 EOF
 
 # PostDown script
-cat > /etc/wireguard/postdown.sh << 'EOF'
+cat > /etc/wireguard/postdown.sh << EOF
 #!/bin/bash
 
 #
@@ -131,7 +170,7 @@ cat > /etc/wireguard/postdown.sh << 'EOF'
 #
 
 # Remove policy routing rule
-ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
+ip rule del from ${USER_VPN_NETWORK} fwmark 0x1 table proxy priority 100 2>/dev/null || true
 
 # Flush routing table
 ip route flush table proxy 2>/dev/null || true
@@ -146,7 +185,7 @@ chmod +x /etc/wireguard/postup.sh
 chmod +x /etc/wireguard/postdown.sh
 
 echo "[9/11] Creating nftables configuration..."
-cat > /etc/nftables.conf << 'EOF'
+cat > /etc/nftables.conf << EOF
 #!/usr/sbin/nft -f
 #
 # RU VDS nftables configuration
@@ -169,11 +208,11 @@ table inet filter {
         # Allow loopback
         iif lo accept
 
-        # Allow SSH (adjust port if needed)
-        tcp dport 22 accept
+        # Allow SSH
+        tcp dport ${SSH_PORT} accept
 
         # Allow WireGuard from anywhere (user connections)
-        udp dport 51820 accept
+        udp dport ${WG_CLIENT_PORT} accept
 
         # Allow DNS from VPN clients only
         iifname "wg0" udp dport 53 accept
@@ -204,11 +243,10 @@ table inet filter {
 table ip vpn-routing {
     # Set for Russian IPs (direct routing, no proxy)
     # Populated by /etc/wireguard/update-direct-routes.sh
-    # Auto-expires entries after 6 hours
     set direct {
         type ipv4_addr
         flags interval, timeout
-        timeout 6h
+        timeout ${NFT_SET_TIMEOUT}
     }
 
     # Packet marking chain for policy routing
@@ -216,7 +254,7 @@ table ip vpn-routing {
         type filter hook prerouting priority mangle; policy accept;
 
         # Only process traffic from VPN clients
-        ip saddr != 10.10.0.0/24 return
+        ip saddr != ${USER_VPN_NETWORK} return
 
         # Destinations in 'direct' set: no mark (direct routing)
         ip daddr @direct return
@@ -231,7 +269,7 @@ table inet nat {
         type nat hook postrouting priority 100;
 
         # NAT traffic going out to internet directly (not via wg1 tunnel)
-        oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
+        oifname != "wg0" oifname != "wg1" ip saddr ${USER_VPN_NETWORK} masquerade
     }
 }
 EOF
@@ -239,7 +277,7 @@ EOF
 chmod +x /etc/nftables.conf
 
 echo "[10/11] Configuring dnsmasq..."
-cat > /etc/dnsmasq.d/vpn-routing.conf << 'EOF'
+cat > /etc/dnsmasq.d/vpn-routing.conf << EOF
 # dnsmasq configuration for VPN routing
 #
 # Note: Routing decisions are based on destination IP ranges,
@@ -251,15 +289,15 @@ interface=wg0
 bind-interfaces
 
 # Upstream DNS servers
-server=8.8.8.8
-server=8.8.4.4
-server=1.1.1.1
+server=${DNS_UPSTREAM_1}
+server=${DNS_UPSTREAM_2}
+server=${DNS_UPSTREAM_3}
 
 # Don't read /etc/resolv.conf
 no-resolv
 
 # Cache settings
-cache-size=10000
+cache-size=${DNS_CACHE_SIZE}
 
 # Log queries (optional, uncomment for debugging)
 # log-queries
@@ -332,6 +370,23 @@ chmod +x /etc/wireguard/update-direct-routes.sh
 # Create clients directory
 mkdir -p /etc/wireguard/clients
 
+# Save configuration for client management scripts
+echo "Saving VPN configuration..."
+cat > /etc/wireguard/vpn.conf << EOF
+# VPN configuration - used by client management scripts
+# Generated by setup-ru-vds.sh
+
+RU_VDS_IP="${RU_VDS_IP}"
+DE_VDS_IP="${DE_VDS_IP}"
+WG_CLIENT_PORT="${WG_CLIENT_PORT}"
+WG_TUNNEL_PORT="${WG_TUNNEL_PORT}"
+USER_VPN_NETWORK="${USER_VPN_NETWORK}"
+USER_VPN_GATEWAY="${USER_VPN_GATEWAY}"
+TUNNEL_DE_IP="${TUNNEL_DE_IP}"
+WG_KEEPALIVE="${WG_KEEPALIVE}"
+EOF
+chmod 600 /etc/wireguard/vpn.conf
+
 # Add cron job for weekly updates
 echo "Setting up weekly cron job for IP range updates..."
 cat > /etc/cron.weekly/update-vpn-routes << 'CRON'