- Create .env.example with all configurable settings:
- Server IPs (RU_VDS_IP, DE_VDS_IP)
- WireGuard ports (WG_CLIENT_PORT, WG_TUNNEL_PORT)
- VPN networks (USER_VPN_NETWORK, TUNNEL_NETWORK)
- DNS settings, SSH port, timeouts
- Add .gitignore to exclude .env from version control
- Update setup-ru-vds.sh to read from .env
- Update setup-de-vds.sh to read from .env
- Update add-client.sh to use configuration
- Setup scripts save config to /etc/wireguard/vpn.conf for runtime use
- Update documentation with .env usage instructions
This allows easy deployment to test environments by simply
changing values in .env before running setup scripts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace hybrid iptables/ipset/nftables approach with pure nftables
- Add nftables native set for Russian IP ranges (populated from RIPE)
- Create update-direct-routes.sh script to load IP ranges from RIPE database
- Remove ipset and iptables dependencies from postup.sh/postdown.sh
- Add automatic weekly cron job for IP range updates
- Update all documentation to reflect the new approach
Benefits:
- More reliable: no iptables/nftables conflicts
- Simpler debugging: single tool for all rules (nft list ruleset)
- Atomic rule loading: prevents partial failures
- IP-based routing is more predictable than DNS-based
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
