Migrate to pure nftables routing (remove iptables/ipset)

- Replace hybrid iptables/ipset/nftables approach with pure nftables
- Add nftables native set for Russian IP ranges (populated from RIPE)
- Create update-direct-routes.sh script to load IP ranges from RIPE database
- Remove ipset and iptables dependencies from postup.sh/postdown.sh
- Add automatic weekly cron job for IP range updates
- Update all documentation to reflect the new approach

Benefits:
- More reliable: no iptables/nftables conflicts
- Simpler debugging: single tool for all rules (nft list ruleset)
- Atomic rule loading: prevents partial failures
- IP-based routing is more predictable than DNS-based

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

QUICKSTART.md

@@ -81,13 +81,17 @@ systemctl start wg-quick@wg1
 systemctl start wg-quick@wg0
 ```
 
-### Step 5: Verify Tunnel (2 min)
+### Step 5: Verify Tunnel & Load Routes (3 min)
 
 **On RU VDS:**
 ```bash
+# Test tunnel
 ping -c 4 10.20.0.2
 wg show wg1
 # Should see successful ping and recent handshake
+
+# Load Russian IP ranges (takes 1-2 minutes)
+/etc/wireguard/update-direct-routes.sh
 ```
 
 ### Step 6: Add First Client (5 min)
@@ -182,8 +186,11 @@ journalctl -u dnsmasq -n 50
 
 **Routing not working?**
 ```bash
-# Check ipset after visiting .ru sites
-ipset list direct
+# Check if Russian IP ranges are loaded
+nft list set ip vpn-routing direct | wc -l
+
+# Reload if needed
+/etc/wireguard/update-direct-routes.sh
 
 # Check routing table
 ip route show table proxy