138 lines
3.3 KiB
Bash
Executable File
138 lines
3.3 KiB
Bash
Executable File
#!/bin/bash
|
|
set -e
|
|
|
|
# Setup script for DE VDS (Exit Node)
|
|
# Run this script as root on the DE VDS server
|
|
|
|
echo "========================================="
|
|
echo "DE VDS (Exit Node) Setup"
|
|
echo "========================================="
|
|
echo ""
|
|
|
|
# Check if running as root
|
|
if [ "$EUID" -ne 0 ]; then
|
|
echo "ERROR: Please run as root"
|
|
exit 1
|
|
fi
|
|
|
|
echo "[1/7] Updating system packages..."
|
|
apt update
|
|
apt upgrade -y
|
|
|
|
echo "[2/7] Installing required packages..."
|
|
apt install -y wireguard nftables iptables
|
|
|
|
echo "[3/7] Enabling IP forwarding..."
|
|
cat > /etc/sysctl.d/99-vpn.conf << 'EOF'
|
|
# Enable IP forwarding for VPN
|
|
net.ipv4.ip_forward = 1
|
|
EOF
|
|
sysctl -p /etc/sysctl.d/99-vpn.conf
|
|
|
|
echo "[4/7] Generating WireGuard keys..."
|
|
mkdir -p /etc/wireguard/keys
|
|
chmod 700 /etc/wireguard/keys
|
|
wg genkey | tee /etc/wireguard/keys/server.key | wg pubkey > /etc/wireguard/keys/server.pub
|
|
chmod 600 /etc/wireguard/keys/*
|
|
|
|
echo "[5/7] Creating WireGuard configuration..."
|
|
cat > /etc/wireguard/wg0.conf << 'EOF'
|
|
[Interface]
|
|
Address = 10.20.0.2/30
|
|
ListenPort = 51821
|
|
PrivateKey = __DE_SERVER_PRIVATE_KEY__
|
|
PostUp = nft -f /etc/nftables.conf
|
|
PostDown = nft flush ruleset
|
|
|
|
[Peer]
|
|
# RU VDS (server tunnel)
|
|
PublicKey = __RU_DE_TUNNEL_PUBLIC_KEY__
|
|
AllowedIPs = 10.20.0.1/32, 10.10.0.0/24
|
|
EOF
|
|
|
|
# Replace private key placeholder
|
|
PRIVATE_KEY=$(cat /etc/wireguard/keys/server.key)
|
|
sed -i "s|__DE_SERVER_PRIVATE_KEY__|${PRIVATE_KEY}|g" /etc/wireguard/wg0.conf
|
|
|
|
echo "[6/7] Creating nftables configuration..."
|
|
cat > /etc/nftables.conf << 'EOF'
|
|
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow established connections
|
|
ct state established,related accept
|
|
|
|
# Allow loopback
|
|
iif lo accept
|
|
|
|
# Allow SSH (adjust port if needed)
|
|
tcp dport 22 accept
|
|
|
|
# Allow WireGuard from RU VDS only
|
|
ip saddr 176.124.216.197 udp dport 51821 accept
|
|
|
|
# Allow ICMP
|
|
icmp type echo-request accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Allow forwarding from VPN
|
|
iifname "wg0" accept
|
|
|
|
# Allow established connections back
|
|
ct state established,related accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
}
|
|
|
|
table inet nat {
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
|
|
# NAT traffic from VPN to internet
|
|
oifname != "wg0" ip saddr { 10.10.0.0/24, 10.20.0.0/30 } masquerade
|
|
}
|
|
}
|
|
EOF
|
|
|
|
chmod +x /etc/nftables.conf
|
|
|
|
echo "[7/7] Enabling services..."
|
|
systemctl enable nftables
|
|
systemctl enable wg-quick@wg0
|
|
|
|
echo ""
|
|
echo "========================================="
|
|
echo "Setup completed!"
|
|
echo "========================================="
|
|
echo ""
|
|
echo "IMPORTANT: Next steps"
|
|
echo ""
|
|
echo "1. Your DE VDS public key is:"
|
|
echo ""
|
|
cat /etc/wireguard/keys/server.pub
|
|
echo ""
|
|
echo "2. You need to get the RU VDS public key (from de-tunnel.pub)"
|
|
echo ""
|
|
echo "3. Edit /etc/wireguard/wg0.conf and replace:"
|
|
echo " __RU_DE_TUNNEL_PUBLIC_KEY__ with the actual RU VDS de-tunnel public key"
|
|
echo ""
|
|
echo "4. Start the services:"
|
|
echo " systemctl start nftables"
|
|
echo " systemctl start wg-quick@wg0"
|
|
echo ""
|
|
echo "5. Verify the tunnel:"
|
|
echo " wg show"
|
|
echo " ping 10.20.0.1"
|
|
echo ""
|