mish/vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Init

Browse Source
This commit is contained in:
mguschin
2026-02-02 20:11:05 +03:00
parent 49f778a61b
commit b117efc604
26 changed files with 3544 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
configs/client-templates/example-client.conf Normal file
View File

@@ -0,0 +1,10 @@
[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.10.0.X/32
DNS = 10.10.0.1
[Peer]
PublicKey = <RU_SERVER_PUBLIC_KEY>
Endpoint = 176.124.216.197:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

2
configs/de-vds/99-vpn.conf Normal file
View File

@@ -0,0 +1,2 @@
# Enable IP forwarding for VPN
net.ipv4.ip_forward = 1

47
configs/de-vds/nftables.conf Normal file
View File

@@ -0,0 +1,47 @@
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow SSH (adjust port if needed)
tcp dport 22 accept
# Allow WireGuard from RU VDS only
ip saddr 176.124.216.197 udp dport 51821 accept
# Allow ICMP
icmp type echo-request accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow forwarding from VPN
iifname "wg0" accept
# Allow established connections back
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority 100;
# NAT traffic from VPN to internet
oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade
}
}

11
configs/de-vds/wg0.conf Normal file
View File

@@ -0,0 +1,11 @@
[Interface]
Address = 10.20.0.2/30
ListenPort = 51821
PrivateKey = __DE_SERVER_PRIVATE_KEY__
PostUp = nft -f /etc/nftables.conf
PostDown = nft flush ruleset
[Peer]
# RU VDS (server tunnel)
PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__
AllowedIPs = 10.20.0.1/32, 10.10.0.0/24

2
configs/ru-vds/99-vpn.conf Normal file
View File

@@ -0,0 +1,2 @@
# Enable IP forwarding for VPN
net.ipv4.ip_forward = 1

55
configs/ru-vds/nftables.conf Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow SSH (adjust port if needed)
tcp dport 22 accept
# Allow WireGuard from anywhere (user connections)
udp dport 51820 accept
# Allow DNS from VPN clients only
iifname "wg0" udp dport 53 accept
iifname "wg0" tcp dport 53 accept
# Allow ICMP
icmp type echo-request accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow forwarding from user VPN
iifname "wg0" accept
# Allow forwarding from DE tunnel
iifname "wg1" accept
# Allow established connections
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority 100;
# NAT direct traffic going out main interface
# Traffic going through wg1 doesn't need NAT (DE VDS will NAT it)
oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
}
}

18
configs/ru-vds/postdown.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/bash
# Remove policy routing rule
ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
# Flush routing table
ip route flush table proxy 2>/dev/null || true
# Remove iptables mangle rule
iptables -t mangle -F PREROUTING 2>/dev/null || true
# Destroy ipsets
ipset destroy direct 2>/dev/null || true
# Flush nftables (if not managed by other services)
# nft flush ruleset
echo "PostDown script completed"

21
configs/ru-vds/postup.sh Normal file
View File

@@ -0,0 +1,21 @@
#!/bin/bash
set -e
# Create ipsets for routing decisions
ipset create direct hash:net -exist
ipset flush direct
# Add default route via DE tunnel for 'proxy' table
ip route add default via 10.20.0.2 dev wg1 table proxy 2>/dev/null || true
# Policy routing: packets with fwmark 0x1 use 'proxy' table
ip rule add from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
# Load nftables rules
nft -f /etc/nftables.conf
# Mark packets NOT going to 'direct' ipset with fwmark 0x1
# This is needed because nftables + ipset integration is complex
iptables -t mangle -I PREROUTING -m set ! --match-set direct dst -s 10.10.0.0/24 -j MARK --set-mark 0x1
echo "PostUp script completed successfully"

10
configs/ru-vds/rt_tables Normal file
View File

@@ -0,0 +1,10 @@
# Reserved values
#
255 local
254 main
253 default
0 unspec
#
# Local routing tables
#
200 proxy

30
configs/ru-vds/vpn-routing.conf Normal file
View File

@@ -0,0 +1,30 @@
# Listen only on VPN interface
interface=wg0
bind-interfaces
# Upstream DNS servers
server=8.8.8.8
server=8.8.4.4
server=1.1.1.1
# Don't read /etc/resolv.conf
no-resolv
# Cache settings
cache-size=10000
# Log queries (optional, comment out in production for performance)
# log-queries
# Russian TLDs - add resolved IPs to 'direct' ipset
# These domains will be routed directly, not through DE VDS
ipset=/ru/direct
ipset=/рф/direct
ipset=/su/direct
# Additional Russian domains (optional, can be extended)
# ipset=/yandex.ru/direct
# ipset=/mail.ru/direct
# ipset=/vk.com/direct
# All other domains will go through proxy (default routing)

9
configs/ru-vds/wg0.conf Normal file
View File

@@ -0,0 +1,9 @@
[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = __RU_SERVER_PRIVATE_KEY__
PostUp = /etc/wireguard/postup.sh
PostDown = /etc/wireguard/postdown.sh
# Client peers will be added below
# Use scripts/add-client.sh to add new clients

10
configs/ru-vds/wg1.conf Normal file
View File

@@ -0,0 +1,10 @@
[Interface]
Address = 10.20.0.1/30
PrivateKey = __RU_DE_TUNNEL_PRIVATE_KEY__
[Peer]
# DE VDS (exit node)
PublicKey = __DE_SERVER_PUBLIC_KEY__
Endpoint = 194.31.173.178:51821
AllowedIPs = 10.10.0.0/24
PersistentKeepalive = 25