mish/vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
vpn/TESTING.md
mguschin f14d4f8f33 Migrate to pure nftables routing (remove iptables/ipset) 
- Replace hybrid iptables/ipset/nftables approach with pure nftables
- Add nftables native set for Russian IP ranges (populated from RIPE)
- Create update-direct-routes.sh script to load IP ranges from RIPE database
- Remove ipset and iptables dependencies from postup.sh/postdown.sh
- Add automatic weekly cron job for IP range updates
- Update all documentation to reflect the new approach

Benefits:
- More reliable: no iptables/nftables conflicts
- Simpler debugging: single tool for all rules (nft list ruleset)
- Atomic rule loading: prevents partial failures
- IP-based routing is more predictable than DNS-based

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-19 18:02:28 +03:00

306 lines
8.9 KiB
Markdown
Raw Permalink Blame History

# Testing Checklist
Use this checklist to verify your VPN network is working correctly.
## Pre-Deployment Tests
### DE VDS
- [ ] SSH access working
- [ ] System updated (`apt update && apt upgrade`)
- [ ] Adequate disk space (`df -h`)
- [ ] No port conflicts on 51821 (`ss -ulnp | grep 51821`)
### RU VDS
- [ ] SSH access working
- [ ] System updated (`apt update && apt upgrade`)
- [ ] Adequate disk space (`df -h`)
- [ ] No port conflicts on 51820 (`ss -ulnp | grep 51820`)
- [ ] No DNS conflicts on port 53 (`ss -ulnp | grep :53`)
## Post-Setup Tests
### DE VDS
- [ ] WireGuard installed (`wg version`)
- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
- [ ] nftables config exists (`ls /etc/nftables.conf`)
- [ ] Services enabled (not yet started)
### RU VDS
- [ ] WireGuard installed (`wg version`)
- [ ] dnsmasq installed (`dnsmasq -v`)
- [ ] nftables installed (`nft -v`)
- [ ] IP forwarding enabled (`cat /proc/sys/net/ipv4/ip_forward` = 1)
- [ ] WireGuard keys generated (`ls /etc/wireguard/keys/`)
- [ ] Routing table added (`grep proxy /etc/iproute2/rt_tables`)
- [ ] Update script exists (`ls /etc/wireguard/update-direct-routes.sh`)
- [ ] All configs in place
- [ ] Services enabled (not yet started)
## Post-Configuration Tests (After Key Exchange)
### DE VDS
- [ ] wg0.conf contains RU public key (no `__RU_DE_TUNNEL_PUBLIC_KEY__` placeholder)
- [ ] nftables service started (`systemctl status nftables`)
- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
- [ ] wg0 interface exists (`ip addr show wg0`)
- [ ] wg0 has correct IP (`ip addr show wg0 | grep 10.20.0.2`)
### RU VDS
- [ ] wg1.conf contains DE public key (no `__DE_SERVER_PUBLIC_KEY__` placeholder)
- [ ] dnsmasq started (`systemctl status dnsmasq`)
- [ ] wg-quick@wg1 started (`systemctl status wg-quick@wg1`)
- [ ] wg-quick@wg0 started (`systemctl status wg-quick@wg0`)
- [ ] wg1 interface exists (`ip addr show wg1`)
- [ ] wg0 interface exists (`ip addr show wg0`)
- [ ] wg1 has correct IP (`ip addr show wg1 | grep 10.20.0.1`)
- [ ] wg0 has correct IP (`ip addr show wg0 | grep 10.10.0.1`)
## Tunnel Tests
### From RU VDS
- [ ] Can ping DE VDS: `ping -c 4 10.20.0.2`
- [ ] WireGuard handshake established: `wg show wg1 | grep "latest handshake"`
- [ ] Transfer counters incrementing: `wg show wg1 | grep transfer`
### From DE VDS
- [ ] WireGuard handshake established: `wg show wg0 | grep "latest handshake"`
- [ ] Shows RU VDS as peer: `wg show wg0 peers`
- [ ] Transfer counters incrementing: `wg show wg0 | grep transfer`
## Routing Tests (Before Client Connection)
### RU VDS
- [ ] Proxy routing table exists: `ip route show table proxy`
- [ ] Default route via DE: `ip route show table proxy | grep "default via 10.20.0.2"`
- [ ] Policy routing rule exists: `ip rule show | grep proxy`
- [ ] nftables 'direct' set exists: `nft list set ip vpn-routing direct`
- [ ] nftables prerouting chain exists: `nft list chain ip vpn-routing prerouting`
- [ ] Russian IP ranges loaded: `nft list set ip vpn-routing direct | grep -c elements`
## Client Connection Tests
### First Client Addition
- [ ] Client added successfully: `/root/add-client.sh testclient`
- [ ] Client keys generated: `ls /etc/wireguard/keys/client_testclient.*`
- [ ] Client config created: `ls /etc/wireguard/clients/testclient.conf`
- [ ] QR code generated successfully
- [ ] Peer added to wg0: `wg show wg0 peers | grep -f /etc/wireguard/keys/client_testclient.pub`
### Client Connection (From Client Device)
- [ ] WireGuard app installed
- [ ] Config imported successfully
- [ ] Connection established
- [ ] No connection errors in app
### Basic Connectivity (From Client)
- [ ] Can ping VPN gateway: `ping 10.10.0.1`
- [ ] Can ping DE VDS: `ping 10.20.0.2`
- [ ] DNS resolution works: `nslookup google.com`
- [ ] DNS uses correct server: `nslookup google.com 10.10.0.1`
### Routing Verification (From Client)
- [ ] External IP shows DE VDS: `curl ifconfig.me` (should be 194.31.173.178)
- [ ] Can access international sites: `curl -I https://google.com`
- [ ] Can access Russian sites: `curl -I https://yandex.ru`
### IP-Based Routing (From Client)
Russian IPs are pre-loaded from RIPE database:
- [ ] Verify Russian IP ranges are loaded on RU VDS: `nft list set ip vpn-routing direct | wc -l`
- [ ] Visit `https://yandex.ru` from client (should be fast, direct route)
- [ ] Visit `https://mail.ru` from client (should be fast, direct route)
- [ ] Visit `https://google.com` from client (should go through DE tunnel)
### Advanced Routing Tests
From client, check routing paths:
- [ ] Traceroute to Russian site shows no DE hop
```bash
traceroute yandex.ru
# Should NOT show 10.20.0.x
```
- [ ] Traceroute to international site shows DE hop
```bash
traceroute google.com
# Should show 10.20.0.x in path
```
## Performance Tests
### Latency (From Client)
- [ ] Latency to VPN gateway: `ping -c 10 10.10.0.1`
- Expected: < 50ms (depends on your location)
- [ ] Latency through tunnel: `ping -c 10 8.8.8.8`
- Expected: 50-150ms (via DE)
### Bandwidth (From Client)
- [ ] Download speed test: `curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000`
- [ ] Should get reasonable speeds (depends on VDS specs)
## Client Management Tests
### List Clients
- [ ] List shows active client: `/root/list-clients.sh`
- [ ] Shows correct IP assignment
- [ ] Shows latest handshake
### Disable Client
- [ ] Disable client: `/root/disable-client.sh testclient`
- [ ] Client no longer in wg show: `wg show wg0 peers`
- [ ] Client cannot connect
- [ ] Keys still exist: `ls /etc/wireguard/keys/client_testclient.*`
### Enable Client
- [ ] Enable client: `/root/enable-client.sh testclient`
- [ ] Client appears in wg show: `wg show wg0 peers`
- [ ] Client can connect again
### Add Multiple Clients
- [ ] Add 2nd client: `/root/add-client.sh client2`
- [ ] Gets different IP (10.10.0.3)
- [ ] Both clients can connect simultaneously
- [ ] Both clients in list: `/root/list-clients.sh`
### Remove Client
- [ ] Remove client: `/root/remove-client.sh testclient`
- [ ] Client not in wg show
- [ ] Keys deleted: `ls /etc/wireguard/keys/client_testclient.* 2>&1 | grep "No such file"`
- [ ] Config deleted: `ls /etc/wireguard/clients/testclient.conf 2>&1 | grep "No such file"`
## Stress Tests
### Multiple Concurrent Clients
- [ ] Add 5 clients
- [ ] All connect simultaneously
- [ ] All can browse internet
- [ ] Check server load: `top` (CPU should be low)
- [ ] Check memory: `free -h` (should have free memory)
### Continuous Traffic
- [ ] Stream video through VPN for 10 minutes
- [ ] No disconnections
- [ ] Stable speed
- [ ] Check for errors: `journalctl -u wg-quick@wg0 -n 50`
## Security Tests
### Firewall Rules (DE VDS)
- [ ] Port 51821 only accepts from RU IP:
```bash
# From another host (should fail)
nc -u 194.31.173.178 51821
```
- [ ] SSH still accessible (if configured)
- [ ] Other ports closed
### Firewall Rules (RU VDS)
- [ ] Port 51820 accepts WireGuard connections
- [ ] DNS only from VPN clients:
```bash
# From outside (should fail)
dig @176.124.216.197 google.com
```
- [ ] SSH still accessible
- [ ] Other ports closed
### DNS Leak Test (From Client)
- [ ] Check DNS server used: visit https://dnsleaktest.com/
- [ ] Should show RU VDS or your VPN as DNS server
- [ ] Should NOT show your ISP's DNS
## Failure Recovery Tests
### Restart Services
- [ ] Restart wg-quick@wg0 on RU VDS
- [ ] Clients reconnect automatically
- [ ] No connection loss > 30 seconds
### Reboot Tests
- [ ] Reboot DE VDS: `reboot`
- [ ] Services auto-start after boot
- [ ] Tunnel re-establishes
- [ ] Reboot RU VDS: `reboot`
- [ ] Services auto-start after boot
- [ ] Clients can reconnect
## Logs Check
### No Errors in Logs
- [ ] DE VDS WireGuard: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
- [ ] RU VDS WireGuard wg0: `journalctl -u wg-quick@wg0 -n 50 --no-pager`
- [ ] RU VDS WireGuard wg1: `journalctl -u wg-quick@wg1 -n 50 --no-pager`
- [ ] RU VDS dnsmasq: `journalctl -u dnsmasq -n 50 --no-pager`
## Final Verification
- [ ] All clients can connect
- [ ] Russian domains route directly (fast)
- [ ] International domains route through DE (working)
- [ ] DNS resolution working
- [ ] No errors in logs
- [ ] Services set to auto-start
- [ ] Documentation updated with actual client names
- [ ] Backup of /etc/wireguard/ created
## Troubleshooting References
If any tests fail, refer to:
- [DEPLOYMENT.md](DEPLOYMENT.md) - Troubleshooting section
- [IMPLEMENTATION.md](IMPLEMENTATION.md) - Detailed implementation steps
## Test Results Template
```
Date: ____________________
Tester: __________________
Pre-Deployment: ☐ Pass ☐ Fail
Post-Setup: ☐ Pass ☐ Fail
Tunnel Tests: ☐ Pass ☐ Fail
Routing Tests: ☐ Pass ☐ Fail
Client Tests: ☐ Pass ☐ Fail
Performance: ☐ Pass ☐ Fail
Security: ☐ Pass ☐ Fail
Recovery: ☐ Pass ☐ Fail
Notes:
_____________________________________
_____________________________________
_____________________________________
```
Reference in New Issue View Git Blame Copy Permalink