#!/bin/bash set -e # Setup script for DE VDS (Exit Node) # Run this script as root on the DE VDS server echo "=========================================" echo "DE VDS (Exit Node) Setup" echo "=========================================" echo "" # Check if running as root if [ "$EUID" -ne 0 ]; then echo "ERROR: Please run as root" exit 1 fi echo "[1/7] Updating system packages..." apt update apt upgrade -y echo "[2/7] Installing required packages..." apt install -y wireguard nftables iptables echo "[3/7] Enabling IP forwarding..." cat > /etc/sysctl.d/99-vpn.conf << 'EOF' # Enable IP forwarding for VPN net.ipv4.ip_forward = 1 EOF sysctl -p /etc/sysctl.d/99-vpn.conf echo "[4/7] Generating WireGuard keys..." mkdir -p /etc/wireguard/keys chmod 700 /etc/wireguard/keys wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub chmod 600 /etc/wireguard/keys/* echo "[5/7] Creating WireGuard configuration..." cat > /etc/wireguard/wg0.conf << 'EOF' [Interface] Address = 10.20.0.2/30 ListenPort = 51821 PrivateKey = __DE_SERVER_PRIVATE_KEY__ PostUp = nft -f /etc/nftables.conf PostDown = nft flush ruleset [Peer] # RU VDS (server tunnel) PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__ AllowedIPs = 10.20.0.1/32, 10.10.0.0/24 EOF # Replace private key placeholder PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key) sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf echo "[6/7] Creating nftables configuration..." cat > /etc/nftables.conf << 'EOF' #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established connections ct state established,related accept # Allow loopback iif lo accept # Allow SSH (adjust port if needed) tcp dport 22 accept # Allow WireGuard from RU VDS only ip saddr 176.124.216.197 udp dport 51821 accept # Allow ICMP icmp type echo-request accept } chain forward { type filter hook forward priority 0; policy drop; # Allow forwarding from VPN iifname "wg0" accept # Allow established connections back ct state established,related accept } chain output { type filter hook output priority 0; policy accept; } } table inet nat { chain postrouting { type nat hook postrouting priority 100; # NAT traffic from VPN to internet oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade } } EOF chmod +x /etc/nftables.conf echo "[7/7] Enabling services..." systemctl enable nftables systemctl enable wg-quick@wg0 echo "" echo "=========================================" echo "Setup completed!" echo "=========================================" echo "" echo "IMPORTANT: Next steps" echo "" echo "1. Your DE VDS public key is:" echo "" cat /etc/wireguard/keys/server.pub echo "" echo "2. You need to get the RU VDS public key (from de-tunnel.pub)" echo "" echo "3. Edit /etc/wireguard/wg0.conf and replace:" echo " __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key" echo "" echo "4. Start the services:" echo " systemctl start nftables" echo " systemctl start wg-quick@wg0" echo "" echo "5. Verify the tunnel:" echo " wg show" echo " ping 10.20.0.1" echo ""