This is an old revision of the document!
Setup a VPN Server with WireGuard on Debian 9
– Tested with Debian 9 (server side) and Ubuntu 18.04 (client side) on September 2018 –
Server Setup
Install WireGuard
Install WireGuard from Debian packages
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list echo -e "Package: *\nPin: release a=unstable\nPin-Priority: 150\n" | tee /etc/apt/preferences.d/limit-unstable sudo apt update sudo apt install wireguard
Check if wireguard kernel has been loaded correctly
lsmod | grep wireguard
the output should not be blank. If necessary, you can try to load wireguard kernel module manually with
sudo modprobe wireguard
Generate Server Keys
Generate server private key with
wg genkey
Copy and note down the generated key (should be something like SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=
).
Then, generate the corresponding public key with:
echo "SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=" | wg pubkey
and note down the generated public key (in our example will be SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk=
).
Generate User Keys
Generate user private key (one per user!) with
wg genkey
Copy and note down the generated key (should be something like
UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=
).
Then, generate the corresponding public key with:
echo "UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=" | wg pubkey
and note down the generated public key (in our example will be UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=
).
Configure the Server
Now, create a file for the wireguard interface (wg0
in our example) with
sudo vim /etc/wireguard/wg0.conf
and add the following content (replace the sample keys with your actually generated keys):
[Interface] Address = 172.16.16.1/24 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens32 -j MASQUERADE ListenPort = 5544 PrivateKey = SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA= [Peer] PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey= AllowedIPs = 172.16.16.2/32
You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the firewall).