Init

scripts/add-client.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+set -e
+
+# Script to add a new VPN client
+# Usage: ./add-client.sh <client_name>
+
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <client_name>"
+    echo "Example: $0 phone"
+    exit 1
+fi
+
+CLIENT_NAME="$1"
+KEYS_DIR="/etc/wireguard/keys"
+CLIENTS_DIR="/etc/wireguard/clients"
+WG_INTERFACE="wg0"
+
+# Check if client already exists
+if [ -f "${KEYS_DIR}/client_${CLIENT_NAME}.key" ]; then
+    echo "ERROR: Client '${CLIENT_NAME}' already exists"
+    exit 1
+fi
+
+echo "Adding new VPN client: ${CLIENT_NAME}"
+echo ""
+
+# Find next available IP
+USED_IPS=$(wg show ${WG_INTERFACE} allowed-ips 2>/dev/null | grep -oP '10\.10\.0\.\K[0-9]+' | sort -n)
+NEXT_IP=2
+for ip in $USED_IPS; do
+    if [ $ip -ge $NEXT_IP ]; then
+        NEXT_IP=$((ip + 1))
+    fi
+done
+
+if [ $NEXT_IP -gt 254 ]; then
+    echo "ERROR: No available IPs in 10.10.0.0/24 range"
+    exit 1
+fi
+
+CLIENT_IP="10.10.0.${NEXT_IP}"
+
+echo "[1/5] Generating client keys..."
+wg genkey | tee "${KEYS_DIR}/client_${CLIENT_NAME}.key" | wg pubkey > "${KEYS_DIR}/client_${CLIENT_NAME}.pub"
+chmod 600 "${KEYS_DIR}/client_${CLIENT_NAME}."*
+
+CLIENT_PRIVATE_KEY=$(cat "${KEYS_DIR}/client_${CLIENT_NAME}.key")
+CLIENT_PUBLIC_KEY=$(cat "${KEYS_DIR}/client_${CLIENT_NAME}.pub")
+SERVER_PUBLIC_KEY=$(cat "${KEYS_DIR}/server.pub")
+
+echo "[2/5] Adding peer to WireGuard interface..."
+wg set ${WG_INTERFACE} peer ${CLIENT_PUBLIC_KEY} allowed-ips ${CLIENT_IP}/32
+
+echo "[3/5] Saving WireGuard configuration..."
+wg-quick save ${WG_INTERFACE}
+
+echo "[4/5] Creating client configuration file..."
+mkdir -p ${CLIENTS_DIR}
+
+cat > "${CLIENTS_DIR}/${CLIENT_NAME}.conf" << EOF
+[Interface]
+PrivateKey = ${CLIENT_PRIVATE_KEY}
+Address = ${CLIENT_IP}/32
+DNS = 10.10.0.1
+
+[Peer]
+PublicKey = ${SERVER_PUBLIC_KEY}
+Endpoint = 176.124.216.197:51820
+AllowedIPs = 0.0.0.0/0
+PersistentKeepalive = 25
+EOF
+
+chmod 600 "${CLIENTS_DIR}/${CLIENT_NAME}.conf"
+
+echo "[5/5] Generating QR code..."
+echo ""
+echo "========================================="
+echo "Client added successfully!"
+echo "========================================="
+echo ""
+echo "Client name: ${CLIENT_NAME}"
+echo "Client IP: ${CLIENT_IP}"
+echo ""
+echo "Configuration file: ${CLIENTS_DIR}/${CLIENT_NAME}.conf"
+echo ""
+echo "QR Code (scan with WireGuard mobile app):"
+echo ""
+qrencode -t ansiutf8 < "${CLIENTS_DIR}/${CLIENT_NAME}.conf"
+echo ""
+echo "Or copy the configuration from:"
+echo "  cat ${CLIENTS_DIR}/${CLIENT_NAME}.conf"
+echo ""

scripts/disable-client.sh

@@ -0,0 +1,53 @@
+#!/bin/bash
+set -e
+
+# Script to disable a VPN client (keeps keys but removes from WireGuard)
+# Usage: ./disable-client.sh <client_name>
+
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <client_name>"
+    echo "Example: $0 phone"
+    exit 1
+fi
+
+CLIENT_NAME="$1"
+KEYS_DIR="/etc/wireguard/keys"
+WG_INTERFACE="wg0"
+
+# Check if client exists
+if [ ! -f "${KEYS_DIR}/client_${CLIENT_NAME}.pub" ]; then
+    echo "ERROR: Client '${CLIENT_NAME}' does not exist"
+    exit 1
+fi
+
+CLIENT_PUBLIC_KEY=$(cat "${KEYS_DIR}/client_${CLIENT_NAME}.pub")
+
+# Check if client is currently active
+if ! wg show ${WG_INTERFACE} | grep -q "${CLIENT_PUBLIC_KEY}"; then
+    echo "Client '${CLIENT_NAME}' is already disabled"
+    exit 0
+fi
+
+echo "Disabling VPN client: ${CLIENT_NAME}"
+echo ""
+
+echo "[1/2] Removing peer from WireGuard interface..."
+wg set ${WG_INTERFACE} peer ${CLIENT_PUBLIC_KEY} remove
+
+echo "[2/2] Saving WireGuard configuration..."
+wg-quick save ${WG_INTERFACE}
+
+echo ""
+echo "========================================="
+echo "Client disabled successfully!"
+echo "========================================="
+echo ""
+echo "Client '${CLIENT_NAME}' is now disabled"
+echo "Keys and configuration are preserved"
+echo "To re-enable, use: ./enable-client.sh ${CLIENT_NAME}"
+echo ""

scripts/enable-client.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+set -e
+
+# Script to enable a previously disabled VPN client
+# Usage: ./enable-client.sh <client_name>
+
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <client_name>"
+    echo "Example: $0 phone"
+    exit 1
+fi
+
+CLIENT_NAME="$1"
+KEYS_DIR="/etc/wireguard/keys"
+CLIENTS_DIR="/etc/wireguard/clients"
+WG_INTERFACE="wg0"
+
+# Check if client exists
+if [ ! -f "${KEYS_DIR}/client_${CLIENT_NAME}.pub" ]; then
+    echo "ERROR: Client '${CLIENT_NAME}' does not exist"
+    exit 1
+fi
+
+if [ ! -f "${CLIENTS_DIR}/${CLIENT_NAME}.conf" ]; then
+    echo "ERROR: Client configuration file not found"
+    exit 1
+fi
+
+CLIENT_PUBLIC_KEY=$(cat "${KEYS_DIR}/client_${CLIENT_NAME}.pub")
+
+# Check if client is already active
+if wg show ${WG_INTERFACE} | grep -q "${CLIENT_PUBLIC_KEY}"; then
+    echo "Client '${CLIENT_NAME}' is already enabled"
+    exit 0
+fi
+
+# Extract IP from client config
+CLIENT_IP=$(grep "^Address" "${CLIENTS_DIR}/${CLIENT_NAME}.conf" | awk '{print $3}')
+
+if [ -z "${CLIENT_IP}" ]; then
+    echo "ERROR: Could not determine client IP from config"
+    exit 1
+fi
+
+echo "Enabling VPN client: ${CLIENT_NAME}"
+echo ""
+
+echo "[1/2] Adding peer to WireGuard interface..."
+wg set ${WG_INTERFACE} peer ${CLIENT_PUBLIC_KEY} allowed-ips ${CLIENT_IP}
+
+echo "[2/2] Saving WireGuard configuration..."
+wg-quick save ${WG_INTERFACE}
+
+echo ""
+echo "========================================="
+echo "Client enabled successfully!"
+echo "========================================="
+echo ""
+echo "Client '${CLIENT_NAME}' is now active"
+echo "IP Address: ${CLIENT_IP}"
+echo ""

scripts/list-clients.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+
+# Script to list all VPN clients and their status
+# Usage: ./list-clients.sh
+
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+WG_INTERFACE="wg0"
+KEYS_DIR="/etc/wireguard/keys"
+
+echo "========================================="
+echo "VPN Clients Status"
+echo "========================================="
+echo ""
+
+# Check if interface is up
+if ! ip link show ${WG_INTERFACE} &>/dev/null; then
+    echo "ERROR: ${WG_INTERFACE} interface is not up"
+    exit 1
+fi
+
+# Get list of client keys
+CLIENT_KEYS=$(ls ${KEYS_DIR}/client_*.pub 2>/dev/null | sed 's|.*/client_||; s|\.pub$||')
+
+if [ -z "${CLIENT_KEYS}" ]; then
+    echo "No clients configured"
+    exit 0
+fi
+
+# Table header
+printf "%-15s %-15s %-45s %-20s %s\n" "Client" "IP Address" "Public Key" "Latest Handshake" "Transfer"
+echo "---------------------------------------------------------------------------------------------------------------------------"
+
+for client in ${CLIENT_KEYS}; do
+    CLIENT_PUBKEY=$(cat "${KEYS_DIR}/client_${client}.pub")
+
+    # Get client info from wg show
+    CLIENT_INFO=$(wg show ${WG_INTERFACE} | grep -A 5 "${CLIENT_PUBKEY}" || echo "")
+
+    if [ -z "${CLIENT_INFO}" ]; then
+        # Client key exists but not in wg config (disabled)
+        printf "%-15s %-15s %-45s %-20s %s\n" "${client}" "N/A" "${CLIENT_PUBKEY:0:40}..." "DISABLED" "N/A"
+    else
+        # Extract details
+        ALLOWED_IP=$(echo "${CLIENT_INFO}" | grep "allowed ips:" | awk '{print $3}' | cut -d'/' -f1)
+        HANDSHAKE=$(echo "${CLIENT_INFO}" | grep "latest handshake:" | cut -d':' -f2- | xargs)
+        TRANSFER=$(echo "${CLIENT_INFO}" | grep "transfer:" | cut -d':' -f2- | xargs)
+
+        # Format handshake
+        if [ -z "${HANDSHAKE}" ]; then
+            HANDSHAKE="Never"
+        fi
+
+        # Format transfer
+        if [ -z "${TRANSFER}" ]; then
+            TRANSFER="N/A"
+        fi
+
+        printf "%-15s %-15s %-45s %-20s %s\n" "${client}" "${ALLOWED_IP}" "${CLIENT_PUBKEY:0:40}..." "${HANDSHAKE}" "${TRANSFER}"
+    fi
+done
+
+echo ""
+echo "Total clients: $(echo "${CLIENT_KEYS}" | wc -w)"
+echo ""

scripts/remove-client.sh

@@ -0,0 +1,51 @@
+#!/bin/bash
+set -e
+
+# Script to remove a VPN client
+# Usage: ./remove-client.sh <client_name>
+
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <client_name>"
+    echo "Example: $0 phone"
+    exit 1
+fi
+
+CLIENT_NAME="$1"
+KEYS_DIR="/etc/wireguard/keys"
+CLIENTS_DIR="/etc/wireguard/clients"
+WG_INTERFACE="wg0"
+
+# Check if client exists
+if [ ! -f "${KEYS_DIR}/client_${CLIENT_NAME}.pub" ]; then
+    echo "ERROR: Client '${CLIENT_NAME}' does not exist"
+    exit 1
+fi
+
+CLIENT_PUBLIC_KEY=$(cat "${KEYS_DIR}/client_${CLIENT_NAME}.pub")
+
+echo "Removing VPN client: ${CLIENT_NAME}"
+echo ""
+
+echo "[1/4] Removing peer from WireGuard interface..."
+wg set ${WG_INTERFACE} peer ${CLIENT_PUBLIC_KEY} remove
+
+echo "[2/4] Saving WireGuard configuration..."
+wg-quick save ${WG_INTERFACE}
+
+echo "[3/4] Removing client keys..."
+rm -f "${KEYS_DIR}/client_${CLIENT_NAME}.key"
+rm -f "${KEYS_DIR}/client_${CLIENT_NAME}.pub"
+
+echo "[4/4] Removing client configuration..."
+rm -f "${CLIENTS_DIR}/${CLIENT_NAME}.conf"
+
+echo ""
+echo "========================================="
+echo "Client removed successfully!"
+echo "========================================="
+echo ""

scripts/setup-de-vds.sh

@@ -0,0 +1,137 @@
+#!/bin/bash
+set -e
+
+# Setup script for DE VDS (Exit Node)
+# Run this script as root on the DE VDS server
+
+echo "========================================="
+echo "DE VDS (Exit Node) Setup"
+echo "========================================="
+echo ""
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+echo "[1/7] Updating system packages..."
+apt update
+apt upgrade -y
+
+echo "[2/7] Installing required packages..."
+apt install -y wireguard nftables iptables
+
+echo "[3/7] Enabling IP forwarding..."
+cat > /etc/sysctl.d/99-vpn.conf << 'EOF'
+# Enable IP forwarding for VPN
+net.ipv4.ip_forward = 1
+EOF
+sysctl -p /etc/sysctl.d/99-vpn.conf
+
+echo "[4/7] Generating WireGuard keys..."
+mkdir -p /etc/wireguard/keys
+chmod 700 /etc/wireguard/keys
+wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub
+chmod 600 /etc/wireguard/keys/*
+
+echo "[5/7] Creating WireGuard configuration..."
+cat > /etc/wireguard/wg0.conf << 'EOF'
+[Interface]
+Address = 10.20.0.2/30
+ListenPort = 51821
+PrivateKey = __DE_SERVER_PRIVATE_KEY__
+PostUp = nft -f /etc/nftables.conf
+PostDown = nft flush ruleset
+
+[Peer]
+# RU VDS (server tunnel)
+PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__
+AllowedIPs = 10.20.0.1/32, 10.10.0.0/24
+EOF
+
+# Replace private key placeholder
+PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
+sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf
+
+echo "[6/7] Creating nftables configuration..."
+cat > /etc/nftables.conf << 'EOF'
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+
+        # Allow established connections
+        ct state established,related accept
+
+        # Allow loopback
+        iif lo accept
+
+        # Allow SSH (adjust port if needed)
+        tcp dport 22 accept
+
+        # Allow WireGuard from RU VDS only
+        ip saddr 176.124.216.197 udp dport 51821 accept
+
+        # Allow ICMP
+        icmp type echo-request accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+
+        # Allow forwarding from VPN
+        iifname "wg0" accept
+
+        # Allow established connections back
+        ct state established,related accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}
+
+table inet nat {
+    chain postrouting {
+        type nat hook postrouting priority 100;
+
+        # NAT traffic from VPN to internet
+        oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade
+    }
+}
+EOF
+
+chmod +x /etc/nftables.conf
+
+echo "[7/7] Enabling services..."
+systemctl enable nftables
+systemctl enable wg-quick@wg0
+
+echo ""
+echo "========================================="
+echo "Setup completed!"
+echo "========================================="
+echo ""
+echo "IMPORTANT: Next steps"
+echo ""
+echo "1. Your DE VDS public key is:"
+echo ""
+cat /etc/wireguard/keys/server.pub
+echo ""
+echo "2. You need to get the RU VDS public key (from de-tunnel.pub)"
+echo ""
+echo "3. Edit /etc/wireguard/wg0.conf and replace:"
+echo "   __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key"
+echo ""
+echo "4. Start the services:"
+echo "   systemctl start nftables"
+echo "   systemctl start wg-quick@wg0"
+echo ""
+echo "5. Verify the tunnel:"
+echo "   wg show"
+echo "   ping 10.20.0.1"
+echo ""

scripts/setup-ru-vds.sh

@@ -0,0 +1,261 @@
+#!/bin/bash
+set -e
+
+# Setup script for RU VDS (Gateway)
+# Run this script as root on the RU VDS server
+
+echo "========================================="
+echo "RU VDS (Gateway) Setup"
+echo "========================================="
+echo ""
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+echo "[1/10] Updating system packages..."
+apt update
+apt upgrade -y
+
+echo "[2/10] Installing required packages..."
+apt install -y wireguard dnsmasq nftables iptables ipset qrencode
+
+echo "[3/10] Disabling systemd-resolved (conflicts with dnsmasq)..."
+systemctl disable --now systemd-resolved 2>/dev/null || true
+rm -f /etc/resolv.conf
+cat > /etc/resolv.conf << 'EOF'
+nameserver 8.8.8.8
+nameserver 1.1.1.1
+EOF
+
+echo "[4/10] Enabling IP forwarding..."
+cat > /etc/sysctl.d/99-vpn.conf << 'EOF'
+# Enable IP forwarding for VPN
+net.ipv4.ip_forward = 1
+EOF
+sysctl -p /etc/sysctl.d/99-vpn.conf
+
+echo "[5/10] Generating WireGuard keys..."
+mkdir -p /etc/wireguard/keys
+chmod 700 /etc/wireguard/keys
+
+# Server key for user-facing interface
+wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub
+
+# Key for DE tunnel
+wg genkey | tee /etc/wireguard/keys/de-tunnel.key | wg pubkey > /etc/wireguard/keys/de-tunnel.pub
+
+chmod 600 /etc/wireguard/keys/*
+
+echo "[6/10] Adding custom routing table..."
+if ! grep -q "^200[[:space:]]*proxy" /etc/iproute2/rt_tables; then
+    echo "200     proxy" >> /etc/iproute2/rt_tables
+fi
+
+echo "[7/10] Creating WireGuard configurations..."
+
+# wg0 - user-facing
+cat > /etc/wireguard/wg0.conf << 'EOF'
+[Interface]
+Address = 10.10.0.1/24
+ListenPort = 51820
+PrivateKey = __RU_SERVER_PRIVATE_KEY__
+PostUp = /etc/wireguard/postup.sh
+PostDown = /etc/wireguard/postdown.sh
+
+# Client peers will be added below
+# Use add-client.sh script to add new clients
+EOF
+
+# Replace private key placeholder
+PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
+sed -i "s|__RU_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf
+
+# wg1 - DE tunnel
+cat > /etc/wireguard/wg1.conf << 'EOF'
+[Interface]
+Address = 10.20.0.1/30
+PrivateKey = __RU_DE_TUNNEL_PRIVATE_KEY__
+
+[Peer]
+# DE VDS (exit node)
+PublicKey = __DE_SERVER_PUBLIC_KEY__
+Endpoint = 194.31.173.178:51821
+AllowedIPs = 10.10.0.0/24
+PersistentKeepalive = 25
+EOF
+
+# Replace private key placeholder
+DE_TUNNEL_KEY=$(cat /etc/wireguard/keys/de-tunnel.key)
+sed -i "s|__RU_DE_TUNNEL_PRIVATE_KEY__|${DE_TUNNEL_KEY}|g" /etc/wireguard/wg1.conf
+
+echo "[8/10] Creating WireGuard helper scripts..."
+
+# PostUp script
+cat > /etc/wireguard/postup.sh << 'EOF'
+#!/bin/bash
+set -e
+
+# Create ipsets for routing decisions
+ipset create direct hash:net -exist
+ipset flush direct
+
+# Add default route via DE tunnel for 'proxy' table
+ip route add default via 10.20.0.2 dev wg1 table proxy 2>/dev/null || true
+
+# Policy routing: packets with fwmark 0x1 use 'proxy' table
+ip rule add from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
+
+# Load nftables rules
+nft -f /etc/nftables.conf
+
+# Mark packets NOT going to 'direct' ipset with fwmark 0x1
+iptables -t mangle -I PREROUTING -m set ! --match-set direct dst -s 10.10.0.0/24 -j MARK --set-mark 0x1
+
+echo "PostUp script completed successfully"
+EOF
+
+# PostDown script
+cat > /etc/wireguard/postdown.sh << 'EOF'
+#!/bin/bash
+
+# Remove policy routing rule
+ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
+
+# Flush routing table
+ip route flush table proxy 2>/dev/null || true
+
+# Remove iptables mangle rule
+iptables -t mangle -F PREROUTING 2>/dev/null || true
+
+# Destroy ipsets
+ipset destroy direct 2>/dev/null || true
+
+echo "PostDown script completed"
+EOF
+
+chmod +x /etc/wireguard/postup.sh
+chmod +x /etc/wireguard/postdown.sh
+
+echo "[9/10] Creating nftables configuration..."
+cat > /etc/nftables.conf << 'EOF'
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+
+        # Allow established connections
+        ct state established,related accept
+
+        # Allow loopback
+        iif lo accept
+
+        # Allow SSH (adjust port if needed)
+        tcp dport 22 accept
+
+        # Allow WireGuard from anywhere (user connections)
+        udp dport 51820 accept
+
+        # Allow DNS from VPN clients only
+        iifname "wg0" udp dport 53 accept
+        iifname "wg0" tcp dport 53 accept
+
+        # Allow ICMP
+        icmp type echo-request accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+
+        # Allow forwarding from user VPN
+        iifname "wg0" accept
+
+        # Allow forwarding from DE tunnel
+        iifname "wg1" accept
+
+        # Allow established connections
+        ct state established,related accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}
+
+table inet nat {
+    chain postrouting {
+        type nat hook postrouting priority 100;
+
+        # NAT direct traffic going out main interface
+        oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
+    }
+}
+EOF
+
+chmod +x /etc/nftables.conf
+
+echo "[10/10] Configuring dnsmasq..."
+cat > /etc/dnsmasq.d/vpn-routing.conf << 'EOF'
+# Listen only on VPN interface
+interface=wg0
+bind-interfaces
+
+# Upstream DNS servers
+server=8.8.8.8
+server=8.8.4.4
+server=1.1.1.1
+
+# Don't read /etc/resolv.conf
+no-resolv
+
+# Cache settings
+cache-size=10000
+
+# Russian TLDs - add resolved IPs to 'direct' ipset
+ipset=/ru/direct
+ipset=/рф/direct
+ipset=/su/direct
+
+# All other domains will go through proxy (default routing)
+EOF
+
+# Create clients directory
+mkdir -p /etc/wireguard/clients
+
+echo ""
+echo "========================================="
+echo "Setup completed!"
+echo "========================================="
+echo ""
+echo "IMPORTANT: Next steps"
+echo ""
+echo "1. Your RU VDS public keys are:"
+echo ""
+echo "   Server key (for clients):"
+cat /etc/wireguard/keys/server.pub
+echo ""
+echo "   DE tunnel key (for DE VDS):"
+cat /etc/wireguard/keys/de-tunnel.pub
+echo ""
+echo "2. You need to get the DE VDS public key"
+echo ""
+echo "3. Edit /etc/wireguard/wg1.conf and replace:"
+echo "   __DE_SERVER_PUBLIC_KEY__ with the actual DE VDS public key"
+echo ""
+echo "4. Enable and start services:"
+echo "   systemctl enable nftables dnsmasq"
+echo "   systemctl start dnsmasq"
+echo "   systemctl start wg-quick@wg1"
+echo "   systemctl start wg-quick@wg0"
+echo ""
+echo "5. Verify the tunnel:"
+echo "   wg show"
+echo "   ping 10.20.0.2"
+echo ""
+echo "6. Add clients using: /root/add-client.sh <client_name>"
+echo ""