How to Set Up WireGuard VPN on Debian

TL;DR

To set up WireGuard VPN on Debian 13, follow these concise steps:

1. Install WireGuard: Ensure your package list is updated and install WireGuard:

   sudo apt update && sudo apt install wireguard
   

2. Generate Key Pairs: Create a private and public key for the server:

   umask 077  # Ensure keys are created with secure permissions
   wg genkey | tee privatekey | wg pubkey > publickey
   

3. Configure WireGuard: Create a configuration file at /etc/wireguard/wg0.conf:

   sudo nano /etc/wireguard/wg0.conf
   

   Add the following content, adjusting the private key and IP address as needed:

   [Interface]
   PrivateKey = <server-private-key>
   Address = 10.0.0.1/24  # Use a private subnet
   
   [Peer]
   PublicKey = <client-public-key>
   AllowedIPs = 10.0.0.2/32  # Client's VPN IP
   

4. Enable IP Forwarding: Allow IP forwarding to enable traffic routing:

   echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
   sudo sysctl -p  # Apply changes
   

5. Start WireGuard: Start the WireGuard interface:

   sudo wg-quick up wg0
   

6. Set Up Firewall Rules: Use iptables to allow VPN traffic:

   sudo iptables -A INPUT -i wg0 -j ACCEPT
   sudo iptables -A FORWARD -i wg0 -j ACCEPT
   sudo iptables -A FORWARD -o wg0 -j ACCEPT
   

7. Persist Configuration: To ensure WireGuard starts on boot:

   sudo systemctl enable wg-quick@wg0
   

Caution: Always secure your private keys and restrict access to the configuration files. Use strong, unique keys for each client.

Installation of WireGuard

To install WireGuard on your Debian 13 server, follow these steps:

First, ensure your package list is up to date and install the WireGuard package along with the necessary tools:

sudo apt update && sudo apt upgrade -y  # Update package list and upgrade installed packages
sudo apt install wireguard wireguard-tools -y  # Install WireGuard and its tools

Next, verify the installation by checking the WireGuard version:

wg --version  # Check the installed WireGuard version

After confirming the installation, you need to set up the WireGuard configuration. Create a directory for your WireGuard configuration files:

sudo mkdir /etc/wireguard  # Create WireGuard configuration directory

Now, generate the private and public keys for the server:

umask 077  # Set permissions to restrict access to the keys
wg genkey | sudo tee /etc/wireguard/server_private.key  # Generate private key
wg pubkey < /etc/wireguard/server_private.key | sudo tee /etc/wireguard/server_public.key  # Generate public key

Make sure to keep your private key secure and never share it. You can view your public key with:

sudo cat /etc/wireguard/server_public.key  # Display the public key

Next, create the WireGuard configuration file. Use a text editor to create /etc/wireguard/wg0.conf:

sudo nano /etc/wireguard/wg0.conf  # Open the configuration file in nano

Add the following basic configuration, replacing <ServerPrivateKey> and <YourServerIP> with your actual private key and server’s public IP address:

[Interface]
Address = 10.0.0.1/24  # VPN subnet
ListenPort = 51820  # Default WireGuard port
PrivateKey = <ServerPrivateKey>

[Peer]
PublicKey = <ClientPublicKey>  # Client's public key
AllowedIPs = 10.0.0.2/32  # Client's VPN IP

Finally, set the correct permissions for the configuration file:

sudo chmod 600 /etc/wireguard/wg0.conf  # Secure the configuration file

You are now ready to start the WireGuard service.

Configuration of WireGuard Server

To configure the WireGuard server, follow these steps:

1. Generate Server Keys: First, create a directory for WireGuard and generate the private and public keys.

   mkdir -p /etc/wireguard
   cd /etc/wireguard
   umask 077  # Ensure private key is not accessible by others
   wg genkey | tee server_private.key | wg pubkey > server_public.key
   

2. Create the Configuration File: Create a configuration file named wg0.conf.

   nano /etc/wireguard/wg0.conf
   

   Add the following content, adjusting the PrivateKey, Address, and ListenPort as needed:

   [Interface]
   PrivateKey = <server_private_key>  # Replace with the content of server_private.key
   Address = 10.0.0.1/24  # VPN subnet
   ListenPort = 51820  # Default WireGuard port
   
   [Peer]
   PublicKey = <client_public_key>  # Replace with the client's public key
   AllowedIPs = 10.0.0.2/32  # Client's VPN IP
   

3. Enable IP Forwarding: To allow traffic to flow through the VPN, enable IP forwarding.

   echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
   sysctl -p  # Apply changes
   

4. Start the WireGuard Interface: Bring up the WireGuard interface using the following command.

   wg-quick up wg0  # Start the WireGuard interface
   

5. Set Up Firewall Rules: If you have a firewall, allow traffic on the WireGuard port.

   ufw allow 51820/udp  # Allow WireGuard traffic
   

6. Persist the Configuration: To ensure WireGuard starts on boot, enable the service.

   systemctl enable wg-quick@wg0  # Enable WireGuard to start at boot
   

Caution: Always ensure your private keys are kept secure and never shared. Use strong, unique keys for each client.

Configuration of WireGuard Client

To configure the WireGuard client on your Debian 13 server, follow these steps:

1. Install WireGuard: Ensure that WireGuard is installed on your client machine. If you haven’t done so, run:

   sudo apt update && sudo apt install wireguard
   

2. Generate Key Pair: Create a private and public key for your client. This is crucial for establishing a secure connection.

   umask 077  # Set permissions to protect private key
   wg genkey | tee privatekey | wg pubkey > publickey
   

   The private key will be stored in privatekey and the public key in publickey.

3. Create Configuration File: Create a configuration file for your WireGuard client. Replace <YOUR_PRIVATE_KEY>, <SERVER_PUBLIC_KEY>, <SERVER_IP>, and <CLIENT_IP> with your actual keys and IP addresses.

   sudo nano /etc/wireguard/wg0.conf
   

   Add the following content:

   [Interface]
   PrivateKey = <YOUR_PRIVATE_KEY>
   Address = <CLIENT_IP>/24  # Use a unique IP for the client
   
   [Peer]
   PublicKey = <SERVER_PUBLIC_KEY>
   Endpoint = <SERVER_IP>:51820  # Server's public IP and port
   AllowedIPs = 0.0.0.0/0  # Route all traffic through the VPN
   PersistentKeepalive = 25  # Keep connection alive
   

   Caution: Ensure that the AllowedIPs is set correctly to avoid routing issues. Setting it to 0.0.0.0/0 routes all traffic through the VPN, which is common for a client.

4. Start WireGuard: Bring up the WireGuard interface with the following command:

   sudo wg-quick up wg0
   

5. Enable on Boot: To ensure WireGuard starts on boot, enable the service:

   sudo systemctl enable wg-quick@wg0
   

6. Check Status: Verify that the WireGuard interface is up and running:

   sudo wg show
   

By following these steps, your WireGuard client should be properly configured and ready to connect to the VPN server.

Firewall and Routing Setup

To ensure secure communication through your WireGuard VPN, you need to configure the firewall and routing settings on your Debian 13 server.

First, install iptables if it is not already installed:

sudo apt update
sudo apt install iptables

Next, configure iptables to allow traffic through the WireGuard port (default is 51820). You may also want to allow traffic for the VPN subnet. Replace 10.0.0.0/24 with your actual VPN subnet.

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

# Allow traffic from the VPN subnet
sudo iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow outgoing traffic to the VPN subnet
sudo iptables -A OUTPUT -d 10.0.0.0/24 -j ACCEPT

To ensure that your changes persist after a reboot, install iptables-persistent:

sudo apt install iptables-persistent

During installation, you will be prompted to save the current iptables rules. Choose “Yes” to save.

Next, enable IP forwarding to allow traffic to flow between the VPN and the internet. Edit the /etc/sysctl.conf file:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Caution: Ensure that your firewall rules do not expose sensitive services to the internet. Always review your rules and test connectivity after making changes.

Verification

To ensure that your WireGuard VPN setup is functioning correctly, you should perform a series of verification steps.

First, check the status of the WireGuard service to confirm it is active and running:

sudo systemctl status wg-quick@wg0

Ensure that the output indicates the service is “active (running).” If it is not, review the logs for errors.

Next, verify that the WireGuard interface is up and has the correct IP address assigned:

ip a show wg0

Look for the inet entry under the wg0 interface to confirm it has the expected IP address.

To test connectivity, use the ping command to check if you can reach the VPN server from a client device:

ping -c 4 <Server_Public_IP>

Replace <Server_Public_IP> with the actual public IP address of your WireGuard server. A successful response indicates that the server is reachable.

On the server, you can also check the connection status and peer information with:

sudo wg show

This command will display the current status of the WireGuard interface, including the latest handshake times and data transfer statistics for each peer.

For additional security, ensure that the firewall rules are correctly configured. Use iptables to list the current rules:

sudo iptables -L -v

Verify that rules allowing traffic on the WireGuard port (default is UDP 51820) are present and that other unwanted traffic is blocked.

Finally, consider testing the VPN from a client device by checking your public IP address before and after connecting to the VPN:

curl ifconfig.me

This will help confirm that your traffic is being routed through the VPN, as the IP address should change to that of the VPN server.

Always remember to keep your WireGuard configuration files secure and regularly review logs for any unauthorized access attempts.

Rollback

In the event that you need to rollback your WireGuard VPN setup, follow these steps to ensure a safe and effective restoration of your previous configuration.

1. Stop the WireGuard Service: Before making any changes, stop the WireGuard service to prevent any active connections.

   sudo systemctl stop wg-quick@wg0  # Replace wg0 with your interface name
   

2. Backup Current Configuration: Always create a backup of your current WireGuard configuration before rolling back. This allows you to restore it if needed.

   sudo cp /etc/wireguard/wg0.conf /etc/wireguard/wg0.conf.bak  # Backup current config
   

3. Restore Previous Configuration: If you have a previous configuration file saved (e.g., wg0.conf.old), you can restore it by copying it back to the original location.

   sudo cp /path/to/wg0.conf.old /etc/wireguard/wg0.conf  # Restore old config
   

4. Check Configuration Syntax: Before starting the service again, ensure that the configuration file is valid. Use the wg-quick command to check for errors.

   sudo wg-quick check wg0  # Validate the configuration
   

5. Start the WireGuard Service: Once you have restored the previous configuration and confirmed its validity, start the WireGuard service.

   sudo systemctl start wg-quick@wg0  # Start the WireGuard service
   

6. Verify Connection: After starting the service, verify that the VPN is functioning correctly. You can check the status of the WireGuard interface.

   sudo wg show  # Display the current status of the WireGuard interface
   

Caution: Always ensure that you have a backup of your configurations before making changes. If you encounter issues after the rollback, consult the logs for any errors:

sudo journalctl -u wg-quick@wg0  # Check logs for errors

By following these steps, you can safely rollback your WireGuard VPN setup on Debian 13.

• Linux
• Security
• Smb