8.7 KiB
8.7 KiB
Testing Checklist
Use this checklist to verify your VPN network is working correctly.
Pre-Deployment Tests
DE VDS
- SSH access working
- System updated (
apt update && apt upgrade) - Adequate disk space (
df -h) - No port conflicts on 51821 (
ss -ulnp | grep 51821)
RU VDS
- SSH access working
- System updated (
apt update && apt upgrade) - Adequate disk space (
df -h) - No port conflicts on 51820 (
ss -ulnp | grep 51820) - No DNS conflicts on port 53 (
ss -ulnp | grep :53)
Post-Setup Tests
DE VDS
- WireGuard installed (
wg version) - IP forwarding enabled (
cat /proc/sys/net/ipv4/ip_forward= 1) - WireGuard keys generated (
ls /etc/wireguard/keys/) - nftables config exists (
ls /etc/nftables.conf) - Services enabled (not yet started)
RU VDS
- WireGuard installed (
wg version) - dnsmasq installed (
dnsmasq -v) - ipset installed (
ipset -v) - IP forwarding enabled (
cat /proc/sys/net/ipv4/ip_forward= 1) - WireGuard keys generated (
ls /etc/wireguard/keys/) - Routing table added (
grep proxy /etc/iproute2/rt_tables) - All configs in place
- Services enabled (not yet started)
Post-Configuration Tests (After Key Exchange)
DE VDS
- wg0.conf contains RU public key (no
__RU_DE_TUNNEL_PUBLIC_KEY__placeholder) - nftables service started (
systemctl status nftables) - wg-quick@wg0 started (
systemctl status wg-quick@wg0) - wg0 interface exists (
ip addr show wg0) - wg0 has correct IP (
ip addr show wg0 | grep 10.20.0.2)
RU VDS
- wg1.conf contains DE public key (no
__DE_SERVER_PUBLIC_KEY__placeholder) - dnsmasq started (
systemctl status dnsmasq) - wg-quick@wg1 started (
systemctl status wg-quick@wg1) - wg-quick@wg0 started (
systemctl status wg-quick@wg0) - wg1 interface exists (
ip addr show wg1) - wg0 interface exists (
ip addr show wg0) - wg1 has correct IP (
ip addr show wg1 | grep 10.20.0.1) - wg0 has correct IP (
ip addr show wg0 | grep 10.10.0.1)
Tunnel Tests
From RU VDS
- Can ping DE VDS:
ping -c 4 10.20.0.2 - WireGuard handshake established:
wg show wg1 | grep "latest handshake" - Transfer counters incrementing:
wg show wg1 | grep transfer
From DE VDS
- WireGuard handshake established:
wg show wg0 | grep "latest handshake" - Shows RU VDS as peer:
wg show wg0 peers - Transfer counters incrementing:
wg show wg0 | grep transfer
Routing Tests (Before Client Connection)
RU VDS
- Proxy routing table exists:
ip route show table proxy - Default route via DE:
ip route show table proxy | grep "default via 10.20.0.2" - Policy routing rule exists:
ip rule show | grep proxy - ipset 'direct' exists:
ipset list direct - iptables mangle rule exists:
iptables -t mangle -L PREROUTING | grep direct
Client Connection Tests
First Client Addition
- Client added successfully:
/root/add-client.sh testclient - Client keys generated:
ls /etc/wireguard/keys/client_testclient.* - Client config created:
ls /etc/wireguard/clients/testclient.conf - QR code generated successfully
- Peer added to wg0:
wg show wg0 peers | grep -f /etc/wireguard/keys/client_testclient.pub
Client Connection (From Client Device)
- WireGuard app installed
- Config imported successfully
- Connection established
- No connection errors in app
Basic Connectivity (From Client)
- Can ping VPN gateway:
ping 10.10.0.1 - Can ping DE VDS:
ping 10.20.0.2 - DNS resolution works:
nslookup google.com - DNS uses correct server:
nslookup google.com 10.10.0.1
Routing Verification (From Client)
- External IP shows DE VDS:
curl ifconfig.me(should be 194.31.173.178) - Can access international sites:
curl -I https://google.com - Can access Russian sites:
curl -I https://yandex.ru
DNS-Based Routing (From Client)
Visit some Russian sites first, then check on RU VDS:
- Visit
https://yandex.rufrom client - Visit
https://mail.rufrom client - Check ipset on RU VDS:
ipset list direct - ipset contains Russian IPs
- Visit
https://google.comfrom client - Check that google IPs NOT in direct ipset
Advanced Routing Tests
From client, check routing paths:
-
Traceroute to Russian site shows no DE hop
traceroute yandex.ru # Should NOT show 10.20.0.x -
Traceroute to international site shows DE hop
traceroute google.com # Should show 10.20.0.x in path
Performance Tests
Latency (From Client)
- Latency to VPN gateway:
ping -c 10 10.10.0.1- Expected: < 50ms (depends on your location)
- Latency through tunnel:
ping -c 10 8.8.8.8- Expected: 50-150ms (via DE)
Bandwidth (From Client)
- Download speed test:
curl -o /dev/null https://speed.cloudflare.com/__down?bytes=100000000 - Should get reasonable speeds (depends on VDS specs)
Client Management Tests
List Clients
- List shows active client:
/root/list-clients.sh - Shows correct IP assignment
- Shows latest handshake
Disable Client
- Disable client:
/root/disable-client.sh testclient - Client no longer in wg show:
wg show wg0 peers - Client cannot connect
- Keys still exist:
ls /etc/wireguard/keys/client_testclient.*
Enable Client
- Enable client:
/root/enable-client.sh testclient - Client appears in wg show:
wg show wg0 peers - Client can connect again
Add Multiple Clients
- Add 2nd client:
/root/add-client.sh client2 - Gets different IP (10.10.0.3)
- Both clients can connect simultaneously
- Both clients in list:
/root/list-clients.sh
Remove Client
- Remove client:
/root/remove-client.sh testclient - Client not in wg show
- Keys deleted:
ls /etc/wireguard/keys/client_testclient.* 2>&1 | grep "No such file" - Config deleted:
ls /etc/wireguard/clients/testclient.conf 2>&1 | grep "No such file"
Stress Tests
Multiple Concurrent Clients
- Add 5 clients
- All connect simultaneously
- All can browse internet
- Check server load:
top(CPU should be low) - Check memory:
free -h(should have free memory)
Continuous Traffic
- Stream video through VPN for 10 minutes
- No disconnections
- Stable speed
- Check for errors:
journalctl -u wg-quick@wg0 -n 50
Security Tests
Firewall Rules (DE VDS)
-
Port 51821 only accepts from RU IP:
# From another host (should fail) nc -u 194.31.173.178 51821 -
SSH still accessible (if configured)
-
Other ports closed
Firewall Rules (RU VDS)
-
Port 51820 accepts WireGuard connections
-
DNS only from VPN clients:
# From outside (should fail) dig @176.124.216.197 google.com -
SSH still accessible
-
Other ports closed
DNS Leak Test (From Client)
- Check DNS server used: visit https://dnsleaktest.com/
- Should show RU VDS or your VPN as DNS server
- Should NOT show your ISP's DNS
Failure Recovery Tests
Restart Services
- Restart wg-quick@wg0 on RU VDS
- Clients reconnect automatically
- No connection loss > 30 seconds
Reboot Tests
-
Reboot DE VDS:
reboot -
Services auto-start after boot
-
Tunnel re-establishes
-
Reboot RU VDS:
reboot -
Services auto-start after boot
-
Clients can reconnect
Logs Check
No Errors in Logs
- DE VDS WireGuard:
journalctl -u wg-quick@wg0 -n 50 --no-pager - RU VDS WireGuard wg0:
journalctl -u wg-quick@wg0 -n 50 --no-pager - RU VDS WireGuard wg1:
journalctl -u wg-quick@wg1 -n 50 --no-pager - RU VDS dnsmasq:
journalctl -u dnsmasq -n 50 --no-pager
Final Verification
- All clients can connect
- Russian domains route directly (fast)
- International domains route through DE (working)
- DNS resolution working
- No errors in logs
- Services set to auto-start
- Documentation updated with actual client names
- Backup of /etc/wireguard/ created
Troubleshooting References
If any tests fail, refer to:
- DEPLOYMENT.md - Troubleshooting section
- IMPLEMENTATION.md - Detailed implementation steps
Test Results Template
Date: ____________________
Tester: __________________
Pre-Deployment: ☐ Pass ☐ Fail
Post-Setup: ☐ Pass ☐ Fail
Tunnel Tests: ☐ Pass ☐ Fail
Routing Tests: ☐ Pass ☐ Fail
Client Tests: ☐ Pass ☐ Fail
Performance: ☐ Pass ☐ Fail
Security: ☐ Pass ☐ Fail
Recovery: ☐ Pass ☐ Fail
Notes:
_____________________________________
_____________________________________
_____________________________________