mish/vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
vpn/PRE_DEPLOYMENT_CHECKLIST.md
mguschin f14d4f8f33 Migrate to pure nftables routing (remove iptables/ipset) 
- Replace hybrid iptables/ipset/nftables approach with pure nftables
- Add nftables native set for Russian IP ranges (populated from RIPE)
- Create update-direct-routes.sh script to load IP ranges from RIPE database
- Remove ipset and iptables dependencies from postup.sh/postdown.sh
- Add automatic weekly cron job for IP range updates
- Update all documentation to reflect the new approach

Benefits:
- More reliable: no iptables/nftables conflicts
- Simpler debugging: single tool for all rules (nft list ruleset)
- Atomic rule loading: prevents partial failures
- IP-based routing is more predictable than DNS-based

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-19 18:02:28 +03:00

6.8 KiB
Raw Permalink Blame History

Pre-Deployment Checklist

Complete this checklist before deploying to production servers.

Infrastructure Verification

RU VDS (176.124.216.197)

  • Can SSH into server: ssh root@176.124.216.197
  • Have root access: sudo -i or logged in as root
  • Server is Debian 12 (or compatible): cat /etc/debian_version
  • Adequate resources:
    • At least 1GB RAM: free -h
    • At least 5GB free disk: df -h
    • CPU is reasonable: lscpu
  • Internet connectivity: ping -c 4 8.8.8.8
  • Can resolve DNS: nslookup google.com
  • Port 51820/udp not in use: ss -ulnp | grep 51820 (should be empty)
  • Port 53 not in use by another service: ss -ulnp | grep :53 (or just systemd-resolved)

DE VDS (194.31.173.178)

  • Can SSH into server: ssh root@194.31.173.178
  • Have root access: sudo -i or logged in as root
  • Server is Debian 13 (or compatible): cat /etc/debian_version
  • Adequate resources:
    • At least 512MB RAM: free -h
    • At least 5GB free disk: df -h
    • CPU is reasonable: lscpu
  • Internet connectivity: ping -c 4 8.8.8.8
  • Can resolve DNS: nslookup google.com
  • Port 51821/udp not in use: ss -ulnp | grep 51821 (should be empty)

Network Connectivity

  • RU VDS can reach DE VDS: ping -c 4 194.31.173.178 (from RU VDS)
  • DE VDS can reach RU VDS: ping -c 4 176.124.216.197 (from DE VDS)
  • No firewall blocking UDP between servers (if any external firewall exists)

Security Preparation

SSH Access

  • Have backup SSH access method (console access, VNC, etc.)
  • Know how to access server if SSH breaks
  • Current SSH session is stable
  • Consider opening second SSH session before making changes

Firewall Considerations

  • Understand current firewall setup (if any): iptables -L -n or nft list ruleset
  • Have documented how to disable firewall if something goes wrong
  • Won't lock yourself out when applying new firewall rules

Backup Current State

  • Backup current network config: cp /etc/network/interfaces /root/interfaces.backup (if applicable)
  • Backup current SSH config: cp /etc/ssh/sshd_config /root/sshd_config.backup
  • Know how to rollback changes if needed

Client Device Preparation

  • Have at least one device to test VPN client
  • WireGuard app installed on test device:
    • iOS/Android: WireGuard app from App Store/Play Store
    • Windows: WireGuard from wireguard.com
    • macOS: WireGuard from App Store or wireguard.com
    • Linux: apt install wireguard-tools
  • Device can scan QR codes (for mobile) or can copy/paste config text

Tools and Access

Local Machine

  • Have SSH access from local machine to both servers
  • Can copy files via SCP: scp test.txt root@176.124.216.197:/tmp/ works
  • Have text editor ready for editing configs
  • Have terminal with multiple tabs/windows open

Required Information

  • DE VDS IP: 194.31.173.178 (confirmed)
  • RU VDS IP: 176.124.216.197 (confirmed)
  • Root password or SSH keys for both servers
  • Know which local device will be first test client

Time and Planning

  • Have allocated 1-2 hours for deployment
  • Not during critical business hours (in case of issues)
  • Have time for troubleshooting if needed
  • Not in a rush

Documentation Review

  • Read QUICKSTART.md overview
  • Reviewed DEPLOYMENT.md deployment steps
  • Know where to find troubleshooting info (DEPLOYMENT.md)
  • Have TESTING.md ready for post-deployment tests

Script Verification

Check scripts are ready

cd /home/mish/vpn.git
ls -la scripts/

Should see:

  • setup-de-vds.sh (executable)
  • setup-ru-vds.sh (executable)
  • add-client.sh (executable)
  • disable-client.sh (executable)
  • enable-client.sh (executable)
  • remove-client.sh (executable)
  • list-clients.sh (executable)

Configuration Files Check

cd /home/mish/vpn.git
ls -la configs/de-vds/
ls -la configs/ru-vds/

Should see all required config files.

Risk Assessment

Understand the risks

  • Understand that changes will be made to network configuration
  • Understand that firewall rules will be modified
  • Understand that new services will be installed
  • Have rollback plan if things go wrong
  • Won't lose access to servers (have console/recovery access)

Rollback Plan

If something goes wrong:

DE VDS:

# Stop services
systemctl stop wg-quick@wg0
systemctl stop nftables

# Flush firewall
nft flush ruleset
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

# Default accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

RU VDS:

# Stop services
systemctl stop wg-quick@wg0
systemctl stop wg-quick@wg1
systemctl stop dnsmasq

# Start systemd-resolved if it was stopped
systemctl start systemd-resolved

# Flush firewall
nft flush ruleset

# Remove policy routing
ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy 2>/dev/null || true
ip route flush table proxy 2>/dev/null || true

Post-Deployment Preparation

  • Have notepad ready to save:
    • DE VDS public key
    • RU VDS server public key
    • RU VDS DE tunnel public key
  • Ready to run tests from TESTING.md
  • Have client device ready for connection test

Final Verification

  • All above items checked
  • Confident to proceed
  • Have time allocated
  • No critical dependencies on servers right now
  • Ready to start deployment

Ready to Deploy?

If all items are checked, proceed to:

  1. QUICKSTART.md - For rapid deployment
  2. DEPLOYMENT.md - For detailed deployment guide

Need More Info?

  • Architecture details → README.md
  • Implementation steps → IMPLEMENTATION.md
  • Testing procedures → TESTING.md

Deployment Day Checklist

Morning of deployment

  • Verify servers are accessible
  • Verify servers are up-to-date: apt update && apt list --upgradable
  • Create snapshot/backup if available from hosting provider
  • Notify anyone who might be affected

During deployment

  • Follow DEPLOYMENT.md step by step
  • Don't skip verification steps
  • Test after each major phase
  • Document any issues or deviations

After deployment

  • Complete all tests from TESTING.md
  • Verify client can connect
  • Verify routing is correct
  • Document any configuration changes made
  • Save all keys securely

Emergency Contacts

Document here:

  • VDS provider support: _______________________
  • Backup admin contact: _______________________
  • Your remote access method: _______________________

Date completed: _______________

Completed by: _______________

Ready to proceed: ☐ Yes ☐ No

If No, blockers:

Reference in New Issue View Git Blame Copy Permalink