vpn/TESTING.md

Testing Checklist

Use this checklist to verify your VPN network is working correctly.

Pre-Deployment Tests

DE VDS

• SSH access working
• System updated (apt update && apt upgrade)
• Adequate disk space (df -h)
• No port conflicts on 51821 (ss -ulnp | grep 51821)

RU VDS

• SSH access working
• System updated (apt update && apt upgrade)
• Adequate disk space (df -h)
• No port conflicts on 51820 (ss -ulnp | grep 51820)
• No DNS conflicts on port 53 (ss -ulnp | grep :53)

Post-Setup Tests

DE VDS

• WireGuard installed (wg version)
• IP forwarding enabled (cat /proc/sys/net/ipv4/ip_forward = 1)
• WireGuard keys generated (ls /etc/wireguard/keys/)
• nftables config exists (ls /etc/nftables.conf)
• Services enabled (not yet started)

RU VDS

• WireGuard installed (wg version)
• dnsmasq installed (dnsmasq -v)
• nftables installed (nft -v)
• IP forwarding enabled (cat /proc/sys/net/ipv4/ip_forward = 1)
• WireGuard keys generated (ls /etc/wireguard/keys/)
• Routing table added (grep proxy /etc/iproute2/rt_tables)
• Update script exists (ls /etc/wireguard/update-direct-routes.sh)
• All configs in place
• Services enabled (not yet started)

Post-Configuration Tests (After Key Exchange)

DE VDS

• wg0.conf contains RU public key (no __RU_DE_TUNNEL_PUBLIC_KEY__ placeholder)
• nftables service started (systemctl status nftables)
• wg-quick@wg0 started (systemctl status wg-quick@wg0)
• wg0 interface exists (ip addr show wg0)
• wg0 has correct IP (ip addr show wg0 | grep 10.20.0.2)

RU VDS

• wg1.conf contains DE public key (no __DE_SERVER_PUBLIC_KEY__ placeholder)
• dnsmasq started (systemctl status dnsmasq)
• wg-quick@wg1 started (systemctl status wg-quick@wg1)
• wg-quick@wg0 started (systemctl status wg-quick@wg0)
• wg1 interface exists (ip addr show wg1)
• wg0 interface exists (ip addr show wg0)
• wg1 has correct IP (ip addr show wg1 | grep 10.20.0.1)
• wg0 has correct IP (ip addr show wg0 | grep 10.10.0.1)

Tunnel Tests

From RU VDS

• Can ping DE VDS: ping -c 4 10.20.0.2
• WireGuard handshake established: wg show wg1 | grep "latest handshake"
• Transfer counters incrementing: wg show wg1 | grep transfer

From DE VDS

• WireGuard handshake established: wg show wg0 | grep "latest handshake"
• Shows RU VDS as peer: wg show wg0 peers
• Transfer counters incrementing: wg show wg0 | grep transfer

Routing Tests (Before Client Connection)

RU VDS

• Proxy routing table exists: ip route show table proxy
• Default route via DE: ip route show table proxy | grep "default via 10.20.0.2"
• Policy routing rule exists: ip rule show | grep proxy
• nftables 'direct' set exists: nft list set ip vpn-routing direct
• nftables prerouting chain exists: nft list chain ip vpn-routing prerouting
• Russian IP ranges loaded: nft list set ip vpn-routing direct | grep -c elements

Client Connection Tests

First Client Addition

• Client added successfully: /root/add-client.sh testclient
• Client keys generated: ls /etc/wireguard/keys/client_testclient.*
• Client config created: ls /etc/wireguard/clients/testclient.conf
• QR code generated successfully
• Peer added to wg0: wg show wg0 peers | grep -f /etc/wireguard/keys/client_testclient.pub

Client Connection (From Client Device)

• WireGuard app installed
• Config imported successfully
• Connection established
• No connection errors in app

Basic Connectivity (From Client)

• Can ping VPN gateway: ping 10.10.0.1
• Can ping DE VDS: ping 10.20.0.2
• DNS resolution works: nslookup google.com
• DNS uses correct server: nslookup google.com 10.10.0.1

Routing Verification (From Client)

• External IP shows DE VDS: curl ifconfig.me (should be 194.31.173.178)
• Can access international sites: curl -I https://google.com
• Can access Russian sites: curl -I https://yandex.ru

IP-Based Routing (From Client)

Russian IPs are pre-loaded from RIPE database:

• Verify Russian IP ranges are loaded on RU VDS: nft list set ip vpn-routing direct | wc -l
• Visit https://yandex.ru from client (should be fast, direct route)
• Visit https://mail.ru from client (should be fast, direct route)
• Visit https://google.com from client (should go through DE tunnel)

Advanced Routing Tests

From client, check routing paths:

• Traceroute to Russian site shows no DE hop

  traceroute yandex.ru
  # Should NOT show 10.20.0.x
  

• Traceroute to international site shows DE hop

  traceroute google.com
  # Should show 10.20.0.x in path
  

Performance Tests

Latency (From Client)

• Latency to VPN gateway: ping -c 10 10.10.0.1
  • Expected: < 50ms (depends on your location)
• Latency through tunnel: ping -c 10 8.8.8.8
  • Expected: 50-150ms (via DE)

Bandwidth (From Client)

• Download speed test: curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000
• Should get reasonable speeds (depends on VDS specs)

Client Management Tests

List Clients

• List shows active client: /root/list-clients.sh
• Shows correct IP assignment
• Shows latest handshake

Disable Client

• Disable client: /root/disable-client.sh testclient
• Client no longer in wg show: wg show wg0 peers
• Client cannot connect
• Keys still exist: ls /etc/wireguard/keys/client_testclient.*

Enable Client

• Enable client: /root/enable-client.sh testclient
• Client appears in wg show: wg show wg0 peers
• Client can connect again

Add Multiple Clients

• Add 2nd client: /root/add-client.sh client2
• Gets different IP (10.10.0.3)
• Both clients can connect simultaneously
• Both clients in list: /root/list-clients.sh

Remove Client

• Remove client: /root/remove-client.sh testclient
• Client not in wg show
• Keys deleted: ls /etc/wireguard/keys/client_testclient.* 2>&1 | grep "No such file"
• Config deleted: ls /etc/wireguard/clients/testclient.conf 2>&1 | grep "No such file"

Stress Tests

Multiple Concurrent Clients

• Add 5 clients
• All connect simultaneously
• All can browse internet
• Check server load: top (CPU should be low)
• Check memory: free -h (should have free memory)

Continuous Traffic

• Stream video through VPN for 10 minutes
• No disconnections
• Stable speed
• Check for errors: journalctl -u wg-quick@wg0 -n 50

Security Tests

Firewall Rules (DE VDS)

• Port 51821 only accepts from RU IP:

  # From another host (should fail)
  nc -u 194.31.173.178 51821
  

• SSH still accessible (if configured)

• Other ports closed

Firewall Rules (RU VDS)

• Port 51820 accepts WireGuard connections

• DNS only from VPN clients:

  # From outside (should fail)
  dig @176.124.216.197 google.com
  

• SSH still accessible

• Other ports closed

DNS Leak Test (From Client)

• Check DNS server used: visit https://dnsleaktest.com/
• Should show RU VDS or your VPN as DNS server
• Should NOT show your ISP's DNS

Failure Recovery Tests

Restart Services

• Restart wg-quick@wg0 on RU VDS
• Clients reconnect automatically
• No connection loss > 30 seconds

Reboot Tests

• Reboot DE VDS: reboot

• Services auto-start after boot

• Tunnel re-establishes

• Reboot RU VDS: reboot

• Services auto-start after boot

• Clients can reconnect

Logs Check

No Errors in Logs

• DE VDS WireGuard: journalctl -u wg-quick@wg0 -n 50 --no-pager
• RU VDS WireGuard wg0: journalctl -u wg-quick@wg0 -n 50 --no-pager
• RU VDS WireGuard wg1: journalctl -u wg-quick@wg1 -n 50 --no-pager
• RU VDS dnsmasq: journalctl -u dnsmasq -n 50 --no-pager

Final Verification

• All clients can connect
• Russian domains route directly (fast)
• International domains route through DE (working)
• DNS resolution working
• No errors in logs
• Services set to auto-start
• Documentation updated with actual client names
• Backup of /etc/wireguard/ created

Troubleshooting References

If any tests fail, refer to:

• DEPLOYMENT.md - Troubleshooting section
• IMPLEMENTATION.md - Detailed implementation steps

Test Results Template

Date: ____________________
Tester: __________________

Pre-Deployment: ☐ Pass ☐ Fail
Post-Setup: ☐ Pass ☐ Fail
Tunnel Tests: ☐ Pass ☐ Fail
Routing Tests: ☐ Pass ☐ Fail
Client Tests: ☐ Pass ☐ Fail
Performance: ☐ Pass ☐ Fail
Security: ☐ Pass ☐ Fail
Recovery: ☐ Pass ☐ Fail

Notes:
_____________________________________
_____________________________________
_____________________________________