# Quick Start Guide

Get your VPN network up and running in 30 minutes.

## What You'll Get

A VPN network where:
- `.ru` and `.рф` domains go directly to the internet (fast, no proxy)
- All other domains route through Germany (bypass blocks)
- Easy client management via command-line scripts
- Support for multiple users (up to 253 devices)

## Prerequisites

- 2 VDS servers (already have: RU + DE)
- SSH access with root privileges
- 30 minutes of time

## Deployment Steps

### Step 0: Configure Environment (2 min)

```bash
# On your local machine, in the project directory
cp .env.example .env
nano .env  # Edit values for your servers
```

Key settings to change:
- `RU_VDS_IP` - Your RU gateway server IP
- `DE_VDS_IP` - Your DE exit node server IP

### Step 1: Setup DE VDS (5 min)

```bash
# From your computer (copy .env and script)
scp .env scripts/setup-de-vds.sh root@<DE_VDS_IP>:/root/

# SSH into DE VDS
ssh root@<DE_VDS_IP>

# Run setup
chmod +x /root/setup-de-vds.sh
/root/setup-de-vds.sh

# Copy the public key that appears (save it for step 3)
```

### Step 2: Setup RU VDS (5 min)

```bash
# From your computer (copy .env and script)
scp .env scripts/setup-ru-vds.sh root@<RU_VDS_IP>:/root/

# SSH into RU VDS
ssh root@<RU_VDS_IP>

# Run setup
chmod +x /root/setup-ru-vds.sh
/root/setup-ru-vds.sh

# Copy both public keys that appear (save for step 3)
```

### Step 3: Exchange Keys (3 min)

**On DE VDS:**
```bash
nano /etc/wireguard/wg0.conf
# Replace __RU_DE_TUNNEL_PUBLIC_KEY__ with RU's "DE tunnel key"
# Save and exit (Ctrl+X, Y, Enter)
```

**On RU VDS:**
```bash
nano /etc/wireguard/wg1.conf
# Replace __DE_SERVER_PUBLIC_KEY__ with DE's public key
# Save and exit (Ctrl+X, Y, Enter)
```

### Step 4: Start Services (2 min)

**On DE VDS:**
```bash
systemctl start nftables
systemctl start wg-quick@wg0
```

**On RU VDS:**
```bash
systemctl start dnsmasq
systemctl start wg-quick@wg1
systemctl start wg-quick@wg0
```

### Step 5: Verify Tunnel & Load Routes (3 min)

**On RU VDS:**
```bash
# Test tunnel
ping -c 4 10.20.0.2
wg show wg1
# Should see successful ping and recent handshake

# Load Russian IP ranges (takes 1-2 minutes)
/etc/wireguard/update-direct-routes.sh
```

### Step 6: Add First Client (5 min)

**Copy client scripts to RU VDS:**
```bash
# From your computer
scp scripts/*.sh root@176.124.216.197:/root/
```

**On RU VDS:**
```bash
chmod +x /root/*.sh
/root/add-client.sh phone
# Scan the QR code with WireGuard app or copy the config
```

### Step 7: Test (5 min)

**On your client device:**
1. Install WireGuard app
2. Scan QR code or import config
3. Connect to VPN

**Test it works:**
```bash
# Should show DE VDS IP (194.31.173.178)
curl ifconfig.me

# Should resolve through VPN DNS
nslookup google.com
```

**Test routing:**
- Visit google.com → routed through Germany
- Visit yandex.ru → routed directly (faster)

## Done!

Your VPN is now operational.

## Common Commands

```bash
# List all clients
/root/list-clients.sh

# Add new client
/root/add-client.sh laptop

# Disable client temporarily
/root/disable-client.sh phone

# Re-enable client
/root/enable-client.sh phone

# Remove client permanently
/root/remove-client.sh phone

# Check VPN status
wg show

# View logs
journalctl -u wg-quick@wg0 -f
```

## Need Help?

- Full implementation details: [IMPLEMENTATION.md](IMPLEMENTATION.md)
- Deployment guide: [DEPLOYMENT.md](DEPLOYMENT.md)
- Architecture overview: [README.md](README.md)

## Troubleshooting

**Tunnel not connecting?**
```bash
# Check WireGuard status
wg show
systemctl status wg-quick@wg0

# Check if ports are open
ss -ulnp | grep 51820  # RU VDS
ss -ulnp | grep 51821  # DE VDS
```

**DNS not working?**
```bash
# Check dnsmasq
systemctl status dnsmasq
journalctl -u dnsmasq -n 50
```

**Routing not working?**
```bash
# Check if Russian IP ranges are loaded
nft list set ip vpn-routing direct | wc -l

# Reload if needed
/etc/wireguard/update-direct-routes.sh

# Check routing table
ip route show table proxy
ip rule show
```

## Security Notes

- Keep WireGuard keys secure (never share them)
- Change SSH port from default 22
- Use SSH keys instead of passwords
- Remove unused clients promptly
- Monitor logs regularly

## Next Steps

- Add more clients as needed
- Set up automatic security updates
- Configure backups for `/etc/wireguard/`
- Monitor server resources
- Consider setting up monitoring/alerting