# Testing Checklist

Use this checklist to verify your VPN network is working correctly.

## Pre-Deployment Tests

### DE VDS

- [ ] SSH access working
- [ ] System updated (`apt update && apt upgrade`)
- [ ] Adequate disk space (`df -h`)
- [ ] No port conflicts on 51821 (`ss -ulnp | grep 51821`)

### RU VDS

- [ ] SSH access working
- [ ] System updated (`apt update && apt upgrade`)
- [ ] Adequate disk space (`df -h`)
- [ ] No port conflicts on 51820 (`ss -ulnp | grep 51820`)
- [ ] No DNS conflicts on port 53 (`ss -ulnp | grep :53`)

## Post-Setup Tests

### DE VDS

- [ ] WireGuard installed (`wg version`)
- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
- [ ] nftables config exists (`ls /etc/nftables.conf`)
- [ ] Services enabled (not yet started)

### RU VDS

- [ ] WireGuard installed (`wg version`)
- [ ] dnsmasq installed (`dnsmasq -v`)
- [ ] nftables installed (`nft -v`)
- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
- [ ] Routing table added (`grep proxy /etc/iproute2/rt_tables`)
- [ ] Update script exists (`ls /etc/wireguard/update-direct-routes.sh`)
- [ ] All configs in place
- [ ] Services enabled (not yet started)

## Post-Configuration Tests (After Key Exchange)

### DE VDS

- [ ] wg0.conf contains RU public key (no `__RU_DE_TUNNEL_PUBLIC_KEY__` placeholder)
- [ ] nftables service started (`systemctl status nftables`)
- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
- [ ] wg0 interface exists (`ip addr show wg0`)
- [ ] wg0 has correct IP (`ip addr show wg0 | grep 10.20.0.2`)

### RU VDS

- [ ] wg1.conf contains DE public key (no `__DE_SERVER_PUBLIC_KEY__` placeholder)
- [ ] dnsmasq started (`systemctl status dnsmasq`)
- [ ] wg-quick@wg1 started (`systemctl status wg-quick@wg1`)
- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
- [ ] wg1 interface exists (`ip addr show wg1`)
- [ ] wg0 interface exists (`ip addr show wg0`)
- [ ] wg1 has correct IP (`ip addr show wg1 | grep 10.20.0.1`)
- [ ] wg0 has correct IP (`ip addr show wg0 | grep 10.10.0.1`)

## Tunnel Tests

### From RU VDS

- [ ] Can ping DE VDS: `ping -c 4 10.20.0.2`
- [ ] WireGuard handshake established: `wg show wg1 | grep "latest handshake"`
- [ ] Transfer counters incrementing: `wg show wg1 | grep transfer`

### From DE VDS

- [ ] WireGuard handshake established: `wg show wg0 | grep "latest handshake"`
- [ ] Shows RU VDS as peer: `wg show wg0 peers`
- [ ] Transfer counters incrementing: `wg show wg0 | grep transfer`

## Routing Tests (Before Client Connection)

### RU VDS

- [ ] Proxy routing table exists: `ip route show table proxy`
- [ ] Default route via DE: `ip route show table proxy | grep "default via 10.20.0.2"`
- [ ] Policy routing rule exists: `ip rule show | grep proxy`
- [ ] nftables 'direct' set exists: `nft list set ip vpn-routing direct`
- [ ] nftables prerouting chain exists: `nft list chain ip vpn-routing prerouting`
- [ ] Russian IP ranges loaded: `nft list set ip vpn-routing direct | grep -c elements`

## Client Connection Tests

### First Client Addition

- [ ] Client added successfully: `/root/add-client.sh testclient`
- [ ] Client keys generated: `ls /etc/wireguard/keys/client_testclient.*`
- [ ] Client config created: `ls /etc/wireguard/clients/testclient.conf`
- [ ] QR code generated successfully
- [ ] Peer added to wg0: `wg show wg0 peers | grep -f /etc/wireguard/keys/client_testclient.pub`

### Client Connection (From Client Device)

- [ ] WireGuard app installed
- [ ] Config imported successfully
- [ ] Connection established
- [ ] No connection errors in app

### Basic Connectivity (From Client)

- [ ] Can ping VPN gateway: `ping 10.10.0.1`
- [ ] Can ping DE VDS: `ping 10.20.0.2`
- [ ] DNS resolution works: `nslookup google.com`
- [ ] DNS uses correct server: `nslookup google.com 10.10.0.1`

### Routing Verification (From Client)

- [ ] External IP shows DE VDS: `curl ifconfig.me` (should be 194.31.173.178)
- [ ] Can access international sites: `curl -I https://google.com`
- [ ] Can access Russian sites: `curl -I https://yandex.ru`

### IP-Based Routing (From Client)

Russian IPs are pre-loaded from RIPE database:

- [ ] Verify Russian IP ranges are loaded on RU VDS: `nft list set ip vpn-routing direct | wc -l`
- [ ] Visit `https://yandex.ru` from client (should be fast, direct route)
- [ ] Visit `https://mail.ru` from client (should be fast, direct route)
- [ ] Visit `https://google.com` from client (should go through DE tunnel)

### Advanced Routing Tests

From client, check routing paths:

- [ ] Traceroute to Russian site shows no DE hop
  ```bash
  traceroute yandex.ru
  # Should NOT show 10.20.0.x
  ```

- [ ] Traceroute to international site shows DE hop
  ```bash
  traceroute google.com
  # Should show 10.20.0.x in path
  ```

## Performance Tests

### Latency (From Client)

- [ ] Latency to VPN gateway: `ping -c 10 10.10.0.1`
  - Expected: < 50ms (depends on your location)
- [ ] Latency through tunnel: `ping -c 10 8.8.8.8`
  - Expected: 50-150ms (via DE)

### Bandwidth (From Client)

- [ ] Download speed test: `curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000`
- [ ] Should get reasonable speeds (depends on VDS specs)

## Client Management Tests

### List Clients

- [ ] List shows active client: `/root/list-clients.sh`
- [ ] Shows correct IP assignment
- [ ] Shows latest handshake

### Disable Client

- [ ] Disable client: `/root/disable-client.sh testclient`
- [ ] Client no longer in wg show: `wg show wg0 peers`
- [ ] Client cannot connect
- [ ] Keys still exist: `ls /etc/wireguard/keys/client_testclient.*`

### Enable Client

- [ ] Enable client: `/root/enable-client.sh testclient`
- [ ] Client appears in wg show: `wg show wg0 peers`
- [ ] Client can connect again

### Add Multiple Clients

- [ ] Add 2nd client: `/root/add-client.sh client2`
- [ ] Gets different IP (10.10.0.3)
- [ ] Both clients can connect simultaneously
- [ ] Both clients in list: `/root/list-clients.sh`

### Remove Client

- [ ] Remove client: `/root/remove-client.sh testclient`
- [ ] Client not in wg show
- [ ] Keys deleted: `ls /etc/wireguard/keys/client_testclient.* 2>&1 | grep "No such file"`
- [ ] Config deleted: `ls /etc/wireguard/clients/testclient.conf 2>&1 | grep "No such file"`

## Stress Tests

### Multiple Concurrent Clients

- [ ] Add 5 clients
- [ ] All connect simultaneously
- [ ] All can browse internet
- [ ] Check server load: `top` (CPU should be low)
- [ ] Check memory: `free -h` (should have free memory)

### Continuous Traffic

- [ ] Stream video through VPN for 10 minutes
- [ ] No disconnections
- [ ] Stable speed
- [ ] Check for errors: `journalctl -u wg-quick@wg0 -n 50`

## Security Tests

### Firewall Rules (DE VDS)

- [ ] Port 51821 only accepts from RU IP:
  ```bash
  # From another host (should fail)
  nc -u 194.31.173.178 51821
  ```

- [ ] SSH still accessible (if configured)
- [ ] Other ports closed

### Firewall Rules (RU VDS)

- [ ] Port 51820 accepts WireGuard connections
- [ ] DNS only from VPN clients:
  ```bash
  # From outside (should fail)
  dig @176.124.216.197 google.com
  ```

- [ ] SSH still accessible
- [ ] Other ports closed

### DNS Leak Test (From Client)

- [ ] Check DNS server used: visit https://dnsleaktest.com/
- [ ] Should show RU VDS or your VPN as DNS server
- [ ] Should NOT show your ISP's DNS

## Failure Recovery Tests

### Restart Services

- [ ] Restart wg-quick@wg0 on RU VDS
- [ ] Clients reconnect automatically
- [ ] No connection loss > 30 seconds

### Reboot Tests

- [ ] Reboot DE VDS: `reboot`
- [ ] Services auto-start after boot
- [ ] Tunnel re-establishes

- [ ] Reboot RU VDS: `reboot`
- [ ] Services auto-start after boot
- [ ] Clients can reconnect

## Logs Check

### No Errors in Logs

- [ ] DE VDS WireGuard: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
- [ ] RU VDS WireGuard wg0: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
- [ ] RU VDS WireGuard wg1: `journalctl -u wg-quick@wg1 -n 50 --no-pager`
- [ ] RU VDS dnsmasq: `journalctl -u dnsmasq -n 50 --no-pager`

## Final Verification

- [ ] All clients can connect
- [ ] Russian domains route directly (fast)
- [ ] International domains route through DE (working)
- [ ] DNS resolution working
- [ ] No errors in logs
- [ ] Services set to auto-start
- [ ] Documentation updated with actual client names
- [ ] Backup of /etc/wireguard/ created

## Troubleshooting References

If any tests fail, refer to:
- [DEPLOYMENT.md](DEPLOYMENT.md) - Troubleshooting section
- [IMPLEMENTATION.md](IMPLEMENTATION.md) - Detailed implementation steps

## Test Results Template

```
Date: ____________________
Tester: __________________

Pre-Deployment: ☐ Pass ☐ Fail
Post-Setup: ☐ Pass ☐ Fail
Tunnel Tests: ☐ Pass ☐ Fail
Routing Tests: ☐ Pass ☐ Fail
Client Tests: ☐ Pass ☐ Fail
Performance: ☐ Pass ☐ Fail
Security: ☐ Pass ☐ Fail
Recovery: ☐ Pass ☐ Fail

Notes:
_____________________________________
_____________________________________
_____________________________________
```