Setup a VPN Server with WireGuard on Debian 9

– Tested with Debian 9 (server side) and Ubuntu 18.04 (client side) on September 2018 –

Server Setup

Install WireGuard on the Server

Install WireGuard from Debian packages

echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
echo -e "Package: *\nPin: release a=unstable\nPin-Priority: 150\n" | tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install wireguard

Check if wireguard kernel has been loaded correctly

lsmod | grep wireguard

the output should not be blank. If necessary, you can try to load wireguard kernel module manually with

sudo modprobe wireguard

Generate Server Keys

Generate server private key with

wg genkey

Copy and note down the generated key (should be something like SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=).

Then, generate the corresponding public key with:

echo "SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=" | wg pubkey

and note down the generated public key (in our example will be SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk=).

Generate User Keys

Generate user private key (one per user!) with

wg genkey

Copy and note down the generated key (should be something like UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=).

Then, generate the corresponding public key with:

echo "UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=" | wg pubkey

and note down the generated public key (in our example will be UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=).

Configure the Server

Check the name of the network interface with

ip l

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:0c:29:5a:8c:02 brd ff:ff:ff:ff:ff:ff

In our case the public network interface is ens32. Note down the public IP address of the server associated to the interface. In our example will be 1.2.3.4 (no, I'm not from APNIC) - you can check yours with

ip a show dev ens32

Now, create a file for the wireguard interface (wg0s in our example) with

sudo vim /etc/wireguard/wg0s.conf

and add the following content (replace the sample keys with your actually generated keys and ens32 with your server's public interface):

[Interface]
Address = 172.16.16.1/24
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens32 -j MASQUERADE
ListenPort = 5544
PrivateKey = SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=

[Peer]
PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=
AllowedIPs = 172.16.16.2/32

You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the server's firewall).

Start the server

Start Wireguard on the server with

sudo wg-quick up wg0s

and check if the VPN tunnel is up and running with

wg show

If needed, you can kill the tunnel with

sudo wg-quick down wg0s

Client Setup

Install WireGuard on the Client

Install wireguard on your Ubuntu client with

sudo add-apt-repository ppa:wireguard/wireguard
sudo apt-get update
sudo apt-get install wireguard

Configure the Client

Now, create a file for the wireguard interface (wg0c in our example) on your Ubuntu client

sudo vim /etc/wireguard/wg0c.conf

and add the following content (remember replace the IP address of the Endpoint with server public address and the keys).

[Interface]
Address = 172.16.16.2/24
SaveConfig = true
ListenPort = 47824
FwMark = 0x1234
PrivateKey = UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE

[Peer]
PublicKey = SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk
AllowedIPs = 0.0.0.0/0, ::/0
Endpoint = 1.2.3.4:5544
PersistentKeepalive = 10

Start the client

Start Wireguard on with

sudo wg-quick up wg0c