#!/bin/bash set -e # Setup script for DE VDS (Exit Node) # Run this script as root on the DE VDS server # # Configuration is loaded from .env file (copy from .env.example) SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ENV_FILE="${SCRIPT_DIR}/../.env" # Load configuration if [ -f "$ENV_FILE" ]; then source "$ENV_FILE" echo "Loaded configuration from .env" else echo "WARNING: .env file not found at $ENV_FILE" echo "Using default values. Copy .env.example to .env to customize." echo "" fi # Default values (used if .env not present or variable not set) : "${RU_VDS_IP:=176.124.216.197}" : "${DE_VDS_IP:=194.31.173.178}" : "${WG_TUNNEL_PORT:=51821}" : "${USER_VPN_NETWORK:=10.10.0.0/24}" : "${TUNNEL_NETWORK:=10.20.0.0/30}" : "${TUNNEL_RU_IP:=10.20.0.1}" : "${TUNNEL_DE_IP:=10.20.0.2}" : "${SSH_PORT:=22}" echo "=========================================" echo "DE VDS (Exit Node) Setup" echo "=========================================" echo "" echo "Configuration:" echo " DE VDS IP: $DE_VDS_IP" echo " RU VDS IP: $RU_VDS_IP (allowed for WireGuard)" echo " Tunnel: $TUNNEL_DE_IP <-> $TUNNEL_RU_IP" echo "" # Check if running as root if [ "$EUID" -ne 0 ]; then echo "ERROR: Please run as root" exit 1 fi echo "[1/7] Updating system packages..." apt update apt upgrade -y echo "[2/7] Installing required packages..." apt install -y wireguard nftables echo "[3/7] Enabling IP forwarding..." cat > /etc/sysctl.d/99-vpn.conf << 'EOF' # Enable IP forwarding for VPN net.ipv4.ip_forward = 1 EOF sysctl -p /etc/sysctl.d/99-vpn.conf echo "[4/7] Generating WireGuard keys..." mkdir -p /etc/wireguard/keys chmod 700 /etc/wireguard/keys wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub chmod 600 /etc/wireguard/keys/* echo "[5/7] Creating WireGuard configuration..." cat > /etc/wireguard/wg0.conf << EOF [Interface] Address = ${TUNNEL_DE_IP}/30 ListenPort = ${WG_TUNNEL_PORT} PrivateKey = __DE_SERVER_PRIVATE_KEY__ PostUp = nft -f /etc/nftables.conf PostDown = nft flush ruleset [Peer] # RU VDS (server tunnel) PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__ AllowedIPs = ${TUNNEL_RU_IP}/32, ${USER_VPN_NETWORK} EOF # Replace private key placeholder PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key) sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf echo "[6/7] Creating nftables configuration..." cat > /etc/nftables.conf << EOF #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established connections ct state established,related accept # Allow loopback iif lo accept # Allow SSH tcp dport ${SSH_PORT} accept # Allow WireGuard from RU VDS only ip saddr ${RU_VDS_IP} udp dport ${WG_TUNNEL_PORT} accept # Allow ICMP icmp type echo-request accept } chain forward { type filter hook forward priority 0; policy drop; # Allow forwarding from VPN iifname "wg0" accept # Allow established connections back ct state established,related accept } chain output { type filter hook output priority 0; policy accept; } } table inet nat { chain postrouting { type nat hook postrouting priority 100; # NAT traffic from VPN to internet oifname != "wg0" ip saddr { ${USER_VPN_NETWORK}, ${TUNNEL_NETWORK} } masquerade } } EOF chmod +x /etc/nftables.conf echo "[7/7] Enabling services..." systemctl enable nftables systemctl enable wg-quick@wg0 echo "" echo "=========================================" echo "Setup completed!" echo "=========================================" echo "" echo "IMPORTANT: Next steps" echo "" echo "1. Your DE VDS public key is:" echo "" cat /etc/wireguard/keys/server.pub echo "" echo "2. You need to get the RU VDS public key (from de-tunnel.pub)" echo "" echo "3. Edit /etc/wireguard/wg0.conf and replace:" echo " __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key" echo "" echo "4. Start the services:" echo " systemctl start nftables" echo " systemctl start wg-quick@wg0" echo "" echo "5. Verify the tunnel:" echo " wg show" echo " ping 10.20.0.1" echo ""