Init

scripts/setup-de-vds.sh

@@ -0,0 +1,137 @@
+#!/bin/bash
+set -e
+
+# Setup script for DE VDS (Exit Node)
+# Run this script as root on the DE VDS server
+
+echo "========================================="
+echo "DE VDS (Exit Node) Setup"
+echo "========================================="
+echo ""
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+    echo "ERROR: Please run as root"
+    exit 1
+fi
+
+echo "[1/7] Updating system packages..."
+apt update
+apt upgrade -y
+
+echo "[2/7] Installing required packages..."
+apt install -y wireguard nftables iptables
+
+echo "[3/7] Enabling IP forwarding..."
+cat > /etc/sysctl.d/99-vpn.conf << 'EOF'
+# Enable IP forwarding for VPN
+net.ipv4.ip_forward = 1
+EOF
+sysctl -p /etc/sysctl.d/99-vpn.conf
+
+echo "[4/7] Generating WireGuard keys..."
+mkdir -p /etc/wireguard/keys
+chmod 700 /etc/wireguard/keys
+wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub
+chmod 600 /etc/wireguard/keys/*
+
+echo "[5/7] Creating WireGuard configuration..."
+cat > /etc/wireguard/wg0.conf << 'EOF'
+[Interface]
+Address = 10.20.0.2/30
+ListenPort = 51821
+PrivateKey = __DE_SERVER_PRIVATE_KEY__
+PostUp = nft -f /etc/nftables.conf
+PostDown = nft flush ruleset
+
+[Peer]
+# RU VDS (server tunnel)
+PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__
+AllowedIPs = 10.20.0.1/32, 10.10.0.0/24
+EOF
+
+# Replace private key placeholder
+PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
+sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf
+
+echo "[6/7] Creating nftables configuration..."
+cat > /etc/nftables.conf << 'EOF'
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+
+        # Allow established connections
+        ct state established,related accept
+
+        # Allow loopback
+        iif lo accept
+
+        # Allow SSH (adjust port if needed)
+        tcp dport 22 accept
+
+        # Allow WireGuard from RU VDS only
+        ip saddr 176.124.216.197 udp dport 51821 accept
+
+        # Allow ICMP
+        icmp type echo-request accept
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+
+        # Allow forwarding from VPN
+        iifname "wg0" accept
+
+        # Allow established connections back
+        ct state established,related accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+}
+
+table inet nat {
+    chain postrouting {
+        type nat hook postrouting priority 100;
+
+        # NAT traffic from VPN to internet
+        oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade
+    }
+}
+EOF
+
+chmod +x /etc/nftables.conf
+
+echo "[7/7] Enabling services..."
+systemctl enable nftables
+systemctl enable wg-quick@wg0
+
+echo ""
+echo "========================================="
+echo "Setup completed!"
+echo "========================================="
+echo ""
+echo "IMPORTANT: Next steps"
+echo ""
+echo "1. Your DE VDS public key is:"
+echo ""
+cat /etc/wireguard/keys/server.pub
+echo ""
+echo "2. You need to get the RU VDS public key (from de-tunnel.pub)"
+echo ""
+echo "3. Edit /etc/wireguard/wg0.conf and replace:"
+echo "   __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key"
+echo ""
+echo "4. Start the services:"
+echo "   systemctl start nftables"
+echo "   systemctl start wg-quick@wg0"
+echo ""
+echo "5. Verify the tunnel:"
+echo "   wg show"
+echo "   ping 10.20.0.1"
+echo ""