This is an old revision of the document!
Server Setup
Install WireGuard
Install WireGuard from Debian packages
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list echo -e "Package: *\nPin: release a=unstable\nPin-Priority: 150\n" | tee /etc/apt/preferences.d/limit-unstable sudo apt update sudo apt install wireguard
Check if wireguard kernel has been loaded correctly
lsmod | grep wireguard
the output should not be blank. If necessary, you can try to load wireguard kernel module manually with
sudo modprobe wireguard
Generate Server Keys
Generate server private key with
wg genkey
Copy and note down the generated key (should be something like SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=
).
Then, generate the corresponding public key with:
echo "SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=" | wg pubkey
and note down the generated public key (in our example will be SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk=
).
Generate User Keys
Generate user private key (one per user!) with
wg genkey
Copy and note down the generated key (should be something like
UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=
).
Then, generate the corresponding public key with:
echo "UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=" | wg pubkey
and note down the generated public key (in our example will be UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=
).
Configure the Server
Check the name of the network interface with
ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000 link/ether 00:0c:29:5a:8d:01 brd ff:ff:ff:ff:ff:ff
In our case the public network interface is ens32.
Now, create a file for the wireguard interface (wg0
in our example) with
sudo vim /etc/wireguard/wg0.conf
and add the following content (replace the sample keys with your actually generated keys and ens32 with your server's public interface):
[Interface] Address = 172.16.16.1/24 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens32 -j MASQUERADE ListenPort = 5544 PrivateKey = SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA= [Peer] PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey= AllowedIPs = 172.16.16.2/32
You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the firewall).
and note