mish/vpn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
054437d5a49af61f1995424c44c06192c36d7ffc
vpn/scripts/setup-de-vds.sh
mguschin 054437d5a4 Add .env configuration for easy environment customization 
- Create .env.example with all configurable settings:
  - Server IPs (RU_VDS_IP, DE_VDS_IP)
  - WireGuard ports (WG_CLIENT_PORT, WG_TUNNEL_PORT)
  - VPN networks (USER_VPN_NETWORK, TUNNEL_NETWORK)
  - DNS settings, SSH port, timeouts
- Add .gitignore to exclude .env from version control
- Update setup-ru-vds.sh to read from .env
- Update setup-de-vds.sh to read from .env
- Update add-client.sh to use configuration
- Setup scripts save config to /etc/wireguard/vpn.conf for runtime use
- Update documentation with .env usage instructions

This allows easy deployment to test environments by simply
changing values in .env before running setup scripts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-19 18:18:06 +03:00

168 lines
4.2 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
# Setup script for DE VDS (Exit Node)
# Run this script as root on the DE VDS server
#
# Configuration is loaded from .env file (copy from .env.example)
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ENV_FILE="${SCRIPT_DIR}/../.env"
# Load configuration
if [ -f "$ENV_FILE" ]; then
source "$ENV_FILE"
echo "Loaded configuration from .env"
else
echo "WARNING: .env file not found at $ENV_FILE"
echo "Using default values. Copy .env.example to .env to customize."
echo ""
fi
# Default values (used if .env not present or variable not set)
: "${RU_VDS_IP:=176.124.216.197}"
: "${DE_VDS_IP:=194.31.173.178}"
: "${WG_TUNNEL_PORT:=51821}"
: "${USER_VPN_NETWORK:=10.10.0.0/24}"
: "${TUNNEL_NETWORK:=10.20.0.0/30}"
: "${TUNNEL_RU_IP:=10.20.0.1}"
: "${TUNNEL_DE_IP:=10.20.0.2}"
: "${SSH_PORT:=22}"
echo "========================================="
echo "DE VDS (Exit Node) Setup"
echo "========================================="
echo ""
echo "Configuration:"
echo " DE VDS IP: $DE_VDS_IP"
echo " RU VDS IP: $RU_VDS_IP (allowed for WireGuard)"
echo " Tunnel: $TUNNEL_DE_IP <-> $TUNNEL_RU_IP"
echo ""
# Check if running as root
if [ "$EUID" -ne 0 ]; then
echo "ERROR: Please run as root"
exit 1
fi
echo "[1/7] Updating system packages..."
apt update
apt upgrade -y
echo "[2/7] Installing required packages..."
apt install -y wireguard nftables
echo "[3/7] Enabling IP forwarding..."
cat > /etc/sysctl.d/99-vpn.conf << 'EOF'
# Enable IP forwarding for VPN
net.ipv4.ip_forward = 1
EOF
sysctl -p /etc/sysctl.d/99-vpn.conf
echo "[4/7] Generating WireGuard keys..."
mkdir -p /etc/wireguard/keys
chmod 700 /etc/wireguard/keys
wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub
chmod 600 /etc/wireguard/keys/*
echo "[5/7] Creating WireGuard configuration..."
cat > /etc/wireguard/wg0.conf << EOF
[Interface]
Address = ${TUNNEL_DE_IP}/30
ListenPort = ${WG_TUNNEL_PORT}
PrivateKey = __DE_SERVER_PRIVATE_KEY__
PostUp = nft -f /etc/nftables.conf
PostDown = nft flush ruleset
[Peer]
# RU VDS (server tunnel)
PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__
AllowedIPs = ${TUNNEL_RU_IP}/32, ${USER_VPN_NETWORK}
EOF
# Replace private key placeholder
PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf
echo "[6/7] Creating nftables configuration..."
cat > /etc/nftables.conf << EOF
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established connections
ct state established,related accept
# Allow loopback
iif lo accept
# Allow SSH
tcp dport ${SSH_PORT} accept
# Allow WireGuard from RU VDS only
ip saddr ${RU_VDS_IP} udp dport ${WG_TUNNEL_PORT} accept
# Allow ICMP
icmp type echo-request accept
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow forwarding from VPN
iifname "wg0" accept
# Allow established connections back
ct state established,related accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet nat {
chain postrouting {
type nat hook postrouting priority 100;
# NAT traffic from VPN to internet
oifname != "wg0" ip saddr { ${USER_VPN_NETWORK}, ${TUNNEL_NETWORK} } masquerade
}
}
EOF
chmod +x /etc/nftables.conf
echo "[7/7] Enabling services..."
systemctl enable nftables
systemctl enable wg-quick@wg0
echo ""
echo "========================================="
echo "Setup completed!"
echo "========================================="
echo ""
echo "IMPORTANT: Next steps"
echo ""
echo "1. Your DE VDS public key is:"
echo ""
cat /etc/wireguard/keys/server.pub
echo ""
echo "2. You need to get the RU VDS public key (from de-tunnel.pub)"
echo ""
echo "3. Edit /etc/wireguard/wg0.conf and replace:"
echo " __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key"
echo ""
echo "4. Start the services:"
echo " systemctl start nftables"
echo " systemctl start wg-quick@wg0"
echo ""
echo "5. Verify the tunnel:"
echo " wg show"
echo " ping 10.20.0.1"
echo ""
Reference in New Issue View Git Blame Copy Permalink