mish/vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
vpn/PRE_DEPLOYMENT_CHECKLIST.md
mguschin f14d4f8f33 Migrate to pure nftables routing (remove iptables/ipset) 
- Replace hybrid iptables/ipset/nftables approach with pure nftables
- Add nftables native set for Russian IP ranges (populated from RIPE)
- Create update-direct-routes.sh script to load IP ranges from RIPE database
- Remove ipset and iptables dependencies from postup.sh/postdown.sh
- Add automatic weekly cron job for IP range updates
- Update all documentation to reflect the new approach

Benefits:
- More reliable: no iptables/nftables conflicts
- Simpler debugging: single tool for all rules (nft list ruleset)
- Atomic rule loading: prevents partial failures
- IP-based routing is more predictable than DNS-based

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-19 18:02:28 +03:00

260 lines
6.8 KiB
Markdown
Raw Permalink Blame History

# Pre-Deployment Checklist
Complete this checklist before deploying to production servers.
## Infrastructure Verification
### RU VDS (176.124.216.197)
- [ ] Can SSH into server: `ssh root@176.124.216.197`
- [ ] Have root access: `sudo -i` or logged in as root
- [ ] Server is Debian 12 (or compatible): `cat /etc/debian_version`
- [ ] Adequate resources:
- [ ] At least 1GB RAM: `free -h`
- [ ] At least 5GB free disk: `df -h`
- [ ] CPU is reasonable: `lscpu`
- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
- [ ] Can resolve DNS: `nslookup google.com`
- [ ] Port 51820/udp not in use: `ss -ulnp | grep 51820` (should be empty)
- [ ] Port 53 not in use by another service: `ss -ulnp | grep :53` (or just systemd-resolved)
### DE VDS (194.31.173.178)
- [ ] Can SSH into server: `ssh root@194.31.173.178`
- [ ] Have root access: `sudo -i` or logged in as root
- [ ] Server is Debian 13 (or compatible): `cat /etc/debian_version`
- [ ] Adequate resources:
- [ ] At least 512MB RAM: `free -h`
- [ ] At least 5GB free disk: `df -h`
- [ ] CPU is reasonable: `lscpu`
- [ ] Internet connectivity: `ping -c 4 8.8.8.8`
- [ ] Can resolve DNS: `nslookup google.com`
- [ ] Port 51821/udp not in use: `ss -ulnp | grep 51821` (should be empty)
### Network Connectivity
- [ ] RU VDS can reach DE VDS: `ping -c 4 194.31.173.178` (from RU VDS)
- [ ] DE VDS can reach RU VDS: `ping -c 4 176.124.216.197` (from DE VDS)
- [ ] No firewall blocking UDP between servers (if any external firewall exists)
## Security Preparation
### SSH Access
- [ ] Have backup SSH access method (console access, VNC, etc.)
- [ ] Know how to access server if SSH breaks
- [ ] Current SSH session is stable
- [ ] Consider opening second SSH session before making changes
### Firewall Considerations
- [ ] Understand current firewall setup (if any): `iptables -L -n` or `nft list ruleset`
- [ ] Have documented how to disable firewall if something goes wrong
- [ ] Won't lock yourself out when applying new firewall rules
### Backup Current State
- [ ] Backup current network config: `cp /etc/network/interfaces /root/interfaces.backup` (if applicable)
- [ ] Backup current SSH config: `cp /etc/ssh/sshd_config /root/sshd_config.backup`
- [ ] Know how to rollback changes if needed
## Client Device Preparation
- [ ] Have at least one device to test VPN client
- [ ] WireGuard app installed on test device:
- iOS/Android: WireGuard app from App Store/Play Store
- Windows: WireGuard from wireguard.com
- macOS: WireGuard from App Store or wireguard.com
- Linux: `apt install wireguard-tools`
- [ ] Device can scan QR codes (for mobile) or can copy/paste config text
## Tools and Access
### Local Machine
- [ ] Have SSH access from local machine to both servers
- [ ] Can copy files via SCP: `scp test.txt root@176.124.216.197:/tmp/` works
- [ ] Have text editor ready for editing configs
- [ ] Have terminal with multiple tabs/windows open
### Required Information
- [ ] DE VDS IP: 194.31.173.178 (confirmed)
- [ ] RU VDS IP: 176.124.216.197 (confirmed)
- [ ] Root password or SSH keys for both servers
- [ ] Know which local device will be first test client
## Time and Planning
- [ ] Have allocated 1-2 hours for deployment
- [ ] Not during critical business hours (in case of issues)
- [ ] Have time for troubleshooting if needed
- [ ] Not in a rush
## Documentation Review
- [ ] Read QUICKSTART.md overview
- [ ] Reviewed DEPLOYMENT.md deployment steps
- [ ] Know where to find troubleshooting info (DEPLOYMENT.md)
- [ ] Have TESTING.md ready for post-deployment tests
## Script Verification
### Check scripts are ready
```bash
cd /home/mish/vpn.git
ls -la scripts/
```
Should see:
- [ ] setup-de-vds.sh (executable)
- [ ] setup-ru-vds.sh (executable)
- [ ] add-client.sh (executable)
- [ ] disable-client.sh (executable)
- [ ] enable-client.sh (executable)
- [ ] remove-client.sh (executable)
- [ ] list-clients.sh (executable)
## Configuration Files Check
```bash
cd /home/mish/vpn.git
ls -la configs/de-vds/
ls -la configs/ru-vds/
```
Should see all required config files.
## Risk Assessment
### Understand the risks
- [ ] Understand that changes will be made to network configuration
- [ ] Understand that firewall rules will be modified
- [ ] Understand that new services will be installed
- [ ] Have rollback plan if things go wrong
- [ ] Won't lose access to servers (have console/recovery access)
### Rollback Plan
If something goes wrong:
**DE VDS:**
```bash
# Stop services
systemctl stop wg-quick@wg0
systemctl stop nftables
# Flush firewall
nft flush ruleset
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
# Default accept
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
```
**RU VDS:**
```bash
# Stop services
systemctl stop wg-quick@wg0
systemctl stop wg-quick@wg1
systemctl stop dnsmasq
# Start systemd-resolved if it was stopped
systemctl start systemd-resolved
# Flush firewall
nft flush ruleset
# Remove policy routing
ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy 2>/dev/null || true
ip route flush table proxy 2>/dev/null || true
```
## Post-Deployment Preparation
- [ ] Have notepad ready to save:
- DE VDS public key
- RU VDS server public key
- RU VDS DE tunnel public key
- [ ] Ready to run tests from TESTING.md
- [ ] Have client device ready for connection test
## Final Verification
- [ ] All above items checked
- [ ] Confident to proceed
- [ ] Have time allocated
- [ ] No critical dependencies on servers right now
- [ ] Ready to start deployment
---
## Ready to Deploy?
If all items are checked, proceed to:
1. **QUICKSTART.md** - For rapid deployment
2. **DEPLOYMENT.md** - For detailed deployment guide
## Need More Info?
- Architecture details → README.md
- Implementation steps → IMPLEMENTATION.md
- Testing procedures → TESTING.md
---
## Deployment Day Checklist
### Morning of deployment
- [ ] Verify servers are accessible
- [ ] Verify servers are up-to-date: `apt update && apt list --upgradable`
- [ ] Create snapshot/backup if available from hosting provider
- [ ] Notify anyone who might be affected
### During deployment
- [ ] Follow DEPLOYMENT.md step by step
- [ ] Don't skip verification steps
- [ ] Test after each major phase
- [ ] Document any issues or deviations
### After deployment
- [ ] Complete all tests from TESTING.md
- [ ] Verify client can connect
- [ ] Verify routing is correct
- [ ] Document any configuration changes made
- [ ] Save all keys securely
---
## Emergency Contacts
Document here:
- VDS provider support: _______________________
- Backup admin contact: _______________________
- Your remote access method: _______________________
---
**Date completed:** _______________
**Completed by:** _______________
**Ready to proceed:** ☐ Yes ☐ No
**If No, blockers:**
_________________________________
_________________________________
_________________________________
Reference in New Issue View Git Blame Copy Permalink