Migrate to pure nftables routing (remove iptables/ipset)

- Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-19 18:02:28 +03:00
parent b117efc604
commit f14d4f8f33
13 changed files with 461 additions and 264 deletions
--- a/DEPLOYMENT.md
+++ b/DEPLOYMENT.md
@@ -231,8 +231,8 @@ wg show wg0
 # Check routing table
 ip route show table proxy

-# Check ipset
-ipset list direct
+# Check nftables set (will be empty until IP ranges are loaded)
+nft list set ip vpn-routing direct

 # Check policy routing rules
 ip rule show
@@ -240,9 +240,19 @@ ip rule show

 Expected output:
 - Routing table `proxy` should have default route via `10.20.0.2`
- ipset `direct` should exist (empty initially)
+- nftables set `direct` should exist
 - Policy routing rule for `10.10.0.0/24` with fwmark `0x1`

+### 5.4 Load Russian IP ranges
+
+```bash
+# Load Russian IP ranges into nftables (takes 1-2 minutes)
+/etc/wireguard/update-direct-routes.sh
+
+# Verify ranges were loaded
+nft list set ip vpn-routing direct | head -20
+```
+
 ---

 ## Step 6: Add First Client
@@ -331,23 +341,22 @@ curl ifconfig.me
 On RU VDS:

 ```bash
-# After client visits .ru domains, check direct ipset
-ipset list direct
+# Check that Russian IP ranges are loaded
+nft list set ip vpn-routing direct | wc -l

-# Should show Russian IPs
+# Should show many IP ranges (thousands)
 ```

 ### 7.4 Advanced testing

-Test that `.ru` domains go direct:
+Test that Russian IPs go direct:

 ```bash
 # From client - visit some Russian sites
 curl -I https://yandex.ru
 curl -I https://mail.ru

-# Then on RU VDS - check ipset
-ipset list direct
+# These should be fast (direct routing)
 ```

 Test that other domains go through DE:
@@ -447,14 +456,14 @@ ip route show table proxy
 ip rule show
 ```

-**Check ipset:**
+**Check nftables set:**
 ```bash
-ipset list direct
+nft list set ip vpn-routing direct | head -20
 ```

-**Check iptables mangle:**
+**Check nftables rules:**
 ```bash
-iptables -t mangle -L -v
+nft list chain ip vpn-routing prerouting
 ```

 ### Client can't connect
@@ -612,5 +621,8 @@ ping 10.20.0.2

 # Check routing
 ip route show table proxy
-ipset list direct
+nft list set ip vpn-routing direct | head -20
+
+# Update Russian IP ranges
+/etc/wireguard/update-direct-routes.sh
 ```