notes:setup-wireguard-vpn-on-debian9
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
notes:setup-wireguard-vpn-on-debian9 [2018/09/06 11:48] – old revision restored (2018/09/06 13:31) admin | notes:setup-wireguard-vpn-on-debian9 [2019/02/02 21:48] (current) – admin | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ==== Server | + | ====== Setup a VPN Server with WireGuard on Debian 9====== |
- | === Install WireGuard === | + | -- //Tested with **Debian 9** (server side) and **Ubuntu 18.04** (client side) on **September 2018**// -- |
+ | |||
+ | ===== Server Setup ====== | ||
+ | |||
+ | ==== Install WireGuard | ||
Install WireGuard from Debian packages | Install WireGuard from Debian packages | ||
Line 13: | Line 17: | ||
sudo modprobe wireguard | sudo modprobe wireguard | ||
- | === Generate Server Keys === | + | ==== Generate Server Keys ==== |
Generate server private key with | Generate server private key with | ||
Line 23: | Line 27: | ||
and note down the generated public key (in our example will be '' | and note down the generated public key (in our example will be '' | ||
- | === Generate User Keys === | + | ==== Generate User Keys ==== |
Generate user private key (one per user!) with | Generate user private key (one per user!) with | ||
Line 34: | Line 38: | ||
and note down the generated public key (in our example will be '' | and note down the generated public key (in our example will be '' | ||
- | === Configure the Server === | + | ==== Configure the Server |
Check the name of the network interface with | Check the name of the network interface with | ||
Line 42: | Line 46: | ||
link/ | link/ | ||
2: ens32: < | 2: ens32: < | ||
- | link/ether 00: | + | link/ether 00: |
- | In our case the public network interface is ens32. | + | In our case the public network interface is ens32. |
+ | ip a show dev ens32 | ||
- | Now, create a file for the wireguard interface ('' | + | Now, create a file for the wireguard interface ('' |
- | sudo vim / | + | sudo vim / |
and add the following content (replace the sample keys with your actually generated keys and ens32 with your server' | and add the following content (replace the sample keys with your actually generated keys and ens32 with your server' | ||
+ | |||
[Interface] | [Interface] | ||
Address = 172.16.16.1/ | Address = 172.16.16.1/ | ||
Line 59: | Line 65: | ||
PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey= | PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey= | ||
AllowedIPs = 172.16.16.2/ | AllowedIPs = 172.16.16.2/ | ||
+ | | ||
+ | You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the server' | ||
+ | |||
+ | ==== Start the server ==== | ||
+ | |||
+ | Start Wireguard on the server with | ||
+ | sudo wg-quick up wg0s | ||
+ | and check if the VPN tunnel is up and running with | ||
+ | wg show | ||
+ | |||
+ | If needed, you can kill the tunnel with | ||
+ | sudo wg-quick down wg0s | ||
+ | |||
+ | ===== Client Setup ====== | ||
+ | |||
+ | ==== Install WireGuard on the Client ==== | ||
+ | |||
+ | Install wireguard on your Ubuntu client with | ||
+ | sudo add-apt-repository ppa: | ||
+ | sudo apt-get update | ||
+ | sudo apt-get install wireguard | ||
+ | |||
+ | ==== Configure the Client ==== | ||
+ | |||
+ | Now, create a file for the wireguard interface ('' | ||
+ | sudo vim / | ||
+ | and add the following content (remember replace the IP address of the Endpoint with server public address and the keys). | ||
+ | |||
+ | [Interface] | ||
+ | Address = 172.16.16.2/ | ||
+ | SaveConfig = true | ||
+ | ListenPort = 47824 | ||
+ | FwMark = 0x1234 | ||
+ | PrivateKey = UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE | ||
+ | | ||
+ | [Peer] | ||
+ | PublicKey = SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk | ||
+ | AllowedIPs = 0.0.0.0/0, ::/0 | ||
+ | Endpoint = 1.2.3.4: | ||
+ | PersistentKeepalive = 10 | ||
+ | |||
+ | ==== Start the client ==== | ||
+ | |||
+ | Start Wireguard on with | ||
+ | sudo wg-quick up wg0c | ||
+ | and check if the VPN tunnel is up and running with | ||
+ | wg show | ||
- | You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the firewall). | + | If needed, you can kill the tunnel with |
+ | sudo wg-quick down wg0c | ||
- | and note | + | ===== Throubleshooting ===== |
+ | - Do not mess up the keys - it's quite easy to switch client and server, public and private (and break the tunnel) | ||
+ | - If you have a firewall running on your server, open the corresponding UDP port (5544 in the example above) | ||
+ | - If you are behind the Great Firewall, probably it will not work |
notes/setup-wireguard-vpn-on-debian9.1536234517.txt.gz · Last modified: 2018/09/06 11:48 by admin