User Tools

Site Tools


notes:setup-wireguard-vpn-on-debian9

This is an old revision of the document!


Server Setup

Install WireGuard

Install WireGuard from Debian packages

echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
echo -e "Package: *\nPin: release a=unstable\nPin-Priority: 150\n" | tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install wireguard

Check if wireguard kernel has been loaded correctly

lsmod | grep wireguard

the output should not be blank. If necessary, you can try to load wireguard kernel module manually with

sudo modprobe wireguard

Generate Server Keys

Generate server private key with

wg genkey

Copy and note down the generated key (should be something like SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=).

Then, generate the corresponding public key with:

echo "SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=" | wg pubkey

and note down the generated public key (in our example will be SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk=).

Generate User Keys

Generate user private key (one per user!) with

wg genkey

Copy and note down the generated key (should be something like UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=).

Then, generate the corresponding public key with:

echo "UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=" | wg pubkey

and note down the generated public key (in our example will be UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=).

Configure the Server

Check the name of the network interface with

ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:5a:8d:01 brd ff:ff:ff:ff:ff:ff

In our case the public network interface is ens32.

Now, create a file for the wireguard interface (wg0 in our example) with

sudo vim /etc/wireguard/wg0.conf

and add the following content (replace the sample keys with your actually generated keys and ens32 with your server's public interface):

[Interface]
Address = 172.16.16.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens32 -j MASQUERADE
ListenPort = 5544
PrivateKey = SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=

[Peer]
PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=
AllowedIPs = 172.16.16.2/32

You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the firewall).

and note

notes/setup-wireguard-vpn-on-debian9.1536234517.txt.gz · Last modified: 2018/09/06 11:48 by admin