# Deployment Guide This guide walks you through deploying the VPN network on your actual servers. ## Prerequisites - SSH access to both VDS servers - Root or sudo privileges - Basic familiarity with Linux command line ## Infrastructure | Server | IP | Role | |--------|-----|------| | DE VDS | 194.31.173.178 | Exit node (Debian 13) | | RU VDS | 176.124.216.197 | Gateway (Debian 12) | --- ## Step 1: Deploy DE VDS (Exit Node) ### 1.1 Copy setup script to DE VDS From your local machine: ```bash scp scripts/setup-de-vds.sh root@194.31.173.178:/root/ ``` ### 1.2 Run setup script SSH into DE VDS: ```bash ssh root@194.31.173.178 ``` Run the setup: ```bash cd /root chmod +x setup-de-vds.sh ./setup-de-vds.sh ``` ### 1.3 Save the DE VDS public key The script will output the DE VDS public key. **Copy it** - you'll need it for RU VDS. Example output: ``` Your DE VDS public key is: Xabc123def456ghi789jkl012mno345pqr678stu901vwx234= ``` **Do not start services yet** - we need to exchange keys first. --- ## Step 2: Deploy RU VDS (Gateway) ### 2.1 Copy setup script to RU VDS From your local machine: ```bash scp scripts/setup-ru-vds.sh root@176.124.216.197:/root/ ``` ### 2.2 Run setup script SSH into RU VDS: ```bash ssh root@176.124.216.197 ``` Run the setup: ```bash cd /root chmod +x setup-ru-vds.sh ./setup-ru-vds.sh ``` ### 2.3 Save the RU VDS keys The script will output two public keys: 1. **Server key** - for clients (you'll use this later when adding clients) 2. **DE tunnel key** - for DE VDS Example output: ``` Server key (for clients): Yabc123def456ghi789jkl012mno345pqr678stu901vwx234= DE tunnel key (for DE VDS): Zabc123def456ghi789jkl012mno345pqr678stu901vwx234= ``` **Copy both keys** and keep them safe. **Do not start services yet** - we need to configure keys first. --- ## Step 3: Exchange Keys ### 3.1 Configure DE VDS with RU key SSH into DE VDS: ```bash ssh root@194.31.173.178 ``` Edit WireGuard config: ```bash nano /etc/wireguard/wg0.conf ``` Replace `__RU_DE_TUNNEL_PUBLIC_KEY__` with the **RU DE tunnel key** (the second key from RU VDS). Save and exit (Ctrl+X, Y, Enter). ### 3.2 Configure RU VDS with DE key SSH into RU VDS: ```bash ssh root@176.124.216.197 ``` Edit WireGuard config: ```bash nano /etc/wireguard/wg1.conf ``` Replace `__DE_SERVER_PUBLIC_KEY__` with the **DE VDS public key**. Save and exit (Ctrl+X, Y, Enter). --- ## Step 4: Start Services ### 4.1 Start DE VDS services SSH into DE VDS: ```bash ssh root@194.31.173.178 ``` Start services: ```bash systemctl start nftables systemctl start wg-quick@wg0 ``` Check status: ```bash systemctl status wg-quick@wg0 wg show ``` You should see: - `wg0` interface with IP `10.20.0.2/30` - No handshake yet (RU VDS not connected) ### 4.2 Start RU VDS services SSH into RU VDS: ```bash ssh root@176.124.216.197 ``` Start services: ```bash systemctl start dnsmasq systemctl start wg-quick@wg1 systemctl start wg-quick@wg0 ``` Check status: ```bash systemctl status wg-quick@wg1 systemctl status wg-quick@wg0 systemctl status dnsmasq ``` --- ## Step 5: Verify Tunnel ### 5.1 Test from RU VDS ```bash # Ping DE VDS through tunnel ping -c 4 10.20.0.2 # Check WireGuard handshake wg show wg1 ``` You should see: - Successful ping responses - Recent handshake timestamp - Transfer data counters ### 5.2 Test from DE VDS ```bash # Check WireGuard handshake wg show wg0 # You should see recent handshake from RU VDS ``` ### 5.3 Check routing on RU VDS ```bash # Check routing table ip route show table proxy # Check nftables set (will be empty until IP ranges are loaded) nft list set ip vpn-routing direct # Check policy routing rules ip rule show ``` Expected output: - Routing table `proxy` should have default route via `10.20.0.2` - nftables set `direct` should exist - Policy routing rule for `10.10.0.0/24` with fwmark `0x1` ### 5.4 Load Russian IP ranges ```bash # Load Russian IP ranges into nftables (takes 1-2 minutes) /etc/wireguard/update-direct-routes.sh # Verify ranges were loaded nft list set ip vpn-routing direct | head -20 ``` --- ## Step 6: Add First Client ### 6.1 Copy client management scripts to RU VDS From your local machine: ```bash scp scripts/add-client.sh root@176.124.216.197:/root/ scp scripts/list-clients.sh root@176.124.216.197:/root/ scp scripts/disable-client.sh root@176.124.216.197:/root/ scp scripts/enable-client.sh root@176.124.216.197:/root/ scp scripts/remove-client.sh root@176.124.216.197:/root/ ``` ### 6.2 Add a client SSH into RU VDS: ```bash ssh root@176.124.216.197 ``` Add client (replace "phone" with your device name): ```bash chmod +x /root/*.sh /root/add-client.sh phone ``` The script will: 1. Generate client keys 2. Assign IP address (starting from 10.10.0.2) 3. Add peer to WireGuard 4. Create client config file 5. Display QR code for mobile devices ### 6.3 Transfer configuration to client **For mobile devices:** - Scan the QR code with WireGuard app **For desktop/laptop:** - Copy the configuration file from RU VDS: ```bash cat /etc/wireguard/clients/phone.conf ``` - Save it locally as `phone.conf` - Import into WireGuard client --- ## Step 7: Test Client Connection ### 7.1 Connect from client 1. Open WireGuard app/client 2. Import/scan the configuration 3. Connect ### 7.2 Test basic connectivity From the client device: ```bash # Test VPN gateway ping 10.10.0.1 # Test DNS nslookup google.com nslookup yandex.ru ``` ### 7.3 Test routing From the client device: ```bash # Check external IP (should show DE VDS IP: 194.31.173.178) curl ifconfig.me # Visit a Russian site, then check ipset on RU VDS ``` On RU VDS: ```bash # Check that Russian IP ranges are loaded nft list set ip vpn-routing direct | wc -l # Should show many IP ranges (thousands) ``` ### 7.4 Advanced testing Test that Russian IPs go direct: ```bash # From client - visit some Russian sites curl -I https://yandex.ru curl -I https://mail.ru # These should be fast (direct routing) ``` Test that other domains go through DE: ```bash # From client traceroute google.com # Should show hop through 10.20.0.x traceroute yandex.ru # Should NOT show 10.20.0.x hop (goes direct) ``` --- ## Step 8: Client Management ### List all clients ```bash /root/list-clients.sh ``` ### Add another client ```bash /root/add-client.sh laptop ``` ### Disable a client temporarily ```bash /root/disable-client.sh phone ``` ### Enable a disabled client ```bash /root/enable-client.sh phone ``` ### Permanently remove a client ```bash /root/remove-client.sh phone ``` --- ## Troubleshooting ### Tunnel not working **Check WireGuard status:** ```bash # On both servers wg show systemctl status wg-quick@wg0 systemctl status wg-quick@wg1 # RU only ``` **Check if ports are open:** ```bash # On DE VDS ss -ulnp | grep 51821 # On RU VDS ss -ulnp | grep 51820 ``` **Check firewall:** ```bash nft list ruleset ``` ### DNS not working **Check dnsmasq:** ```bash # On RU VDS systemctl status dnsmasq journalctl -u dnsmasq -n 50 ``` **Test DNS locally:** ```bash dig @127.0.0.1 google.com dig @10.10.0.1 yandex.ru ``` ### Routing not working **Check routing tables:** ```bash # On RU VDS ip route show table proxy ip rule show ``` **Check nftables set:** ```bash nft list set ip vpn-routing direct | head -20 ``` **Check nftables rules:** ```bash nft list chain ip vpn-routing prerouting ``` ### Client can't connect **Check client config:** - Correct server IP (176.124.216.197) - Correct port (51820) - Correct DNS (10.10.0.1) **Check server logs:** ```bash # On RU VDS journalctl -u wg-quick@wg0 -f ``` **Check if peer is added:** ```bash wg show wg0 ``` --- ## Maintenance ### View logs ```bash # WireGuard journalctl -u wg-quick@wg0 -f journalctl -u wg-quick@wg1 -f # dnsmasq journalctl -u dnsmasq -f # System dmesg | grep -i wireguard ``` ### Restart services ```bash # RU VDS systemctl restart wg-quick@wg0 systemctl restart wg-quick@wg1 systemctl restart dnsmasq # DE VDS systemctl restart wg-quick@wg0 ``` ### Update system packages ```bash apt update && apt upgrade -y ``` ### Backup configurations ```bash # On both servers tar -czf wireguard-backup-$(date +%Y%m%d).tar.gz /etc/wireguard/ ``` --- ## Security Best Practices 1. **Change SSH port** from default 22 2. **Use SSH keys** instead of passwords 3. **Enable automatic security updates:** ```bash apt install unattended-upgrades dpkg-reconfigure -plow unattended-upgrades ``` 4. **Monitor logs** regularly 5. **Keep WireGuard keys secure** - never share them 6. **Rotate client keys** periodically 7. **Remove unused clients** promptly --- ## Performance Optimization ### If experiencing slow speeds: 1. **Check MTU settings:** ```bash # Add to WireGuard config MTU = 1420 ``` 2. **Enable BBR congestion control:** ```bash echo "net.core.default_qdisc=fq" >> /etc/sysctl.d/99-vpn.conf echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.d/99-vpn.conf sysctl -p /etc/sysctl.d/99-vpn.conf ``` 3. **Increase UDP buffer sizes:** ```bash echo "net.core.rmem_max=2500000" >> /etc/sysctl.d/99-vpn.conf echo "net.core.wmem_max=2500000" >> /etc/sysctl.d/99-vpn.conf sysctl -p /etc/sysctl.d/99-vpn.conf ``` --- ## Next Steps - [ ] Deploy to production servers - [ ] Add first client - [ ] Test routing for .ru domains - [ ] Test routing for international domains - [ ] Set up monitoring (optional) - [ ] Document server access credentials securely - [ ] Schedule regular backups --- ## Quick Reference ### Key Files **DE VDS:** - `/etc/wireguard/wg0.conf` - WireGuard config - `/etc/nftables.conf` - Firewall rules - `/etc/wireguard/keys/` - WireGuard keys **RU VDS:** - `/etc/wireguard/wg0.conf` - User VPN config - `/etc/wireguard/wg1.conf` - DE tunnel config - `/etc/wireguard/postup.sh` - Routing setup - `/etc/wireguard/postdown.sh` - Routing cleanup - `/etc/dnsmasq.d/vpn-routing.conf` - DNS config - `/etc/nftables.conf` - Firewall rules - `/etc/wireguard/clients/` - Client configs ### Common Commands ```bash # Check WireGuard status wg show # List clients /root/list-clients.sh # Add client /root/add-client.sh # View logs journalctl -u wg-quick@wg0 -f # Test tunnel ping 10.20.0.2 # Check routing ip route show table proxy nft list set ip vpn-routing direct | head -20 # Update Russian IP ranges /etc/wireguard/update-direct-routes.sh ```