vpn/QUICKSTART.md

Quick Start Guide

Get your VPN network up and running in 30 minutes.

What You'll Get

A VPN network where:

• .ru and .рф domains go directly to the internet (fast, no proxy)
• All other domains route through Germany (bypass blocks)
• Easy client management via command-line scripts
• Support for multiple users (up to 253 devices)

Prerequisites

• 2 VDS servers (already have: RU + DE)
• SSH access with root privileges
• 30 minutes of time

Deployment Steps

Step 0: Configure Environment (2 min)

# On your local machine, in the project directory
cp .env.example .env
nano .env  # Edit values for your servers

Key settings to change:

• RU_VDS_IP - Your RU gateway server IP
• DE_VDS_IP - Your DE exit node server IP

Step 1: Setup DE VDS (5 min)

# From your computer (copy .env and script)
scp .env scripts/setup-de-vds.sh root@<DE_VDS_IP>:/root/

# SSH into DE VDS
ssh root@<DE_VDS_IP>

# Run setup
chmod +x /root/setup-de-vds.sh
/root/setup-de-vds.sh

# Copy the public key that appears (save it for step 3)

Step 2: Setup RU VDS (5 min)

# From your computer (copy .env and script)
scp .env scripts/setup-ru-vds.sh root@<RU_VDS_IP>:/root/

# SSH into RU VDS
ssh root@<RU_VDS_IP>

# Run setup
chmod +x /root/setup-ru-vds.sh
/root/setup-ru-vds.sh

# Copy both public keys that appear (save for step 3)

Step 3: Exchange Keys (3 min)

On DE VDS:

nano /etc/wireguard/wg0.conf
# Replace __RU_DE_TUNNEL_PUBLIC_KEY__ with RU's "DE tunnel key"
# Save and exit (Ctrl+X, Y, Enter)

On RU VDS:

nano /etc/wireguard/wg1.conf
# Replace __DE_SERVER_PUBLIC_KEY__ with DE's public key
# Save and exit (Ctrl+X, Y, Enter)

Step 4: Start Services (2 min)

On DE VDS:

systemctl start nftables
systemctl start wg-quick@wg0

On RU VDS:

systemctl start dnsmasq
systemctl start wg-quick@wg1
systemctl start wg-quick@wg0

Step 5: Verify Tunnel & Load Routes (3 min)

On RU VDS:

# Test tunnel
ping -c 4 10.20.0.2
wg show wg1
# Should see successful ping and recent handshake

# Load Russian IP ranges (takes 1-2 minutes)
/etc/wireguard/update-direct-routes.sh

Step 6: Add First Client (5 min)

Copy client scripts to RU VDS:

# From your computer
scp scripts/*.sh root@176.124.216.197:/root/

On RU VDS:

chmod +x /root/*.sh
/root/add-client.sh phone
# Scan the QR code with WireGuard app or copy the config

Step 7: Test (5 min)

On your client device:

1. Install WireGuard app
2. Scan QR code or import config
3. Connect to VPN

Test it works:

# Should show DE VDS IP (194.31.173.178)
curl ifconfig.me

# Should resolve through VPN DNS
nslookup google.com

Test routing:

• Visit google.com → routed through Germany
• Visit yandex.ru → routed directly (faster)

Done!

Your VPN is now operational.

Common Commands

# List all clients
/root/list-clients.sh

# Add new client
/root/add-client.sh laptop

# Disable client temporarily
/root/disable-client.sh phone

# Re-enable client
/root/enable-client.sh phone

# Remove client permanently
/root/remove-client.sh phone

# Check VPN status
wg show

# View logs
journalctl -u wg-quick@wg0 -f

Need Help?

• Full implementation details: IMPLEMENTATION.md
• Deployment guide: DEPLOYMENT.md
• Architecture overview: README.md

Troubleshooting

Tunnel not connecting?

# Check WireGuard status
wg show
systemctl status wg-quick@wg0

# Check if ports are open
ss -ulnp | grep 51820  # RU VDS
ss -ulnp | grep 51821  # DE VDS

DNS not working?

# Check dnsmasq
systemctl status dnsmasq
journalctl -u dnsmasq -n 50

Routing not working?

# Check if Russian IP ranges are loaded
nft list set ip vpn-routing direct | wc -l

# Reload if needed
/etc/wireguard/update-direct-routes.sh

# Check routing table
ip route show table proxy
ip rule show

Security Notes

• Keep WireGuard keys secure (never share them)
• Change SSH port from default 22
• Use SSH keys instead of passwords
• Remove unused clients promptly
• Monitor logs regularly

Next Steps

• Add more clients as needed
• Set up automatic security updates
• Configure backups for /etc/wireguard/
• Monitor server resources
• Consider setting up monitoring/alerting