Setting Up WireGuard VPN on Debian

~ Tom's IT Cafe

WireGuard is a modern, open-source VPN protocol designed for establishing secure and efficient virtual private networks. Developed by Jason A. Donenfeld, it aims to simplify the complexities of traditional VPN protocols while enhancing performance and security.

Prerequisites

  • A Debian server with a static IP address.
  • Access to the terminal with sudo privileges.

Step 1: Install WireGuard

First, update your package index and install WireGuard using the following commands:

sudo apt update
sudo apt install wireguard -y

Step 2: Generate Key Pairs

You need to generate a private and public key pair for the server:

sudo umask 077
sudo wg genkey | sudo tee /etc/wireguard/server_private.key | sudo wg pubkey | sudo tee /etc/wireguard/server_public.key

This command creates two files in /etc/wireguard/: server_private.key and server_public.key. Keep these keys secure, especially the private key.

Step 3: Configure the Server

Create a configuration file for the WireGuard interface. This example uses wg0 as the interface name and assigns it an IP address of 10.10.0.1/24.

sudo nano /etc/wireguard/wg0.conf

Add the following configuration:

[Interface]
Address = 10.10.0.1/24
ListenPort = 51820
PrivateKey = <server_private_key>

[Peer]
PublicKey = <client_public_key>
AllowedIPs = 10.10.0.2/32

Replace <server_private_key> with the content of server_private.key and <client_public_key> with the public key of any clients you plan to connect.

Step 4: Enable IP Forwarding

To allow traffic to pass through the VPN, enable IP forwarding by editing /etc/sysctl.conf:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward = 1

Then apply the changes:

sudo sysctl -p

Step 5: Start WireGuard

To start the WireGuard interface, use:

sudo wg-quick up wg0

To ensure it starts automatically on boot, enable it with systemd:

sudo systemctl enable wg-quick@wg0

Step 6: Configure Clients

On each client machine (which can also be Debian or other OS), install WireGuard and generate a key pair similarly as done on the server:

sudo apt install wireguard -y
sudo umask 077
sudo wg genkey | sudo tee /etc/wireguard/client_private.key | sudo wg pubkey | sudo tee /etc/wireguard/client_public.key

Create a configuration file for the client:

sudo nano /etc/wireguard/wg0.conf

Add this configuration:

[Interface]
Address = 10.10.0.2/24
PrivateKey = <client_private_key>

[Peer]
PublicKey = <server_public_key>
Endpoint = <server_ip>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Replace <client_private_key> with your client’s private key, <server_public_key> with your server’s public key, and <server_ip> with your server’s public IP address.

Step 7: Start Client Connection

Start the client connection using:

sudo wg-quick up wg0

Conclusion

You now have a basic WireGuard VPN setup on Debian. Ensure to manage firewall rules appropriately, allowing traffic on UDP port 51820 for both server and clients to communicate effectively. For more advanced configurations, consider exploring routing options or additional peers as needed.

Leave a comment