WireGuard is an open source VPN protocol. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
Installation on Debian 9+
If you do not use Debian 9+, follow guides on Wireguard’s install page.
Run these commands with root user:
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable apt update apt install linux-headers-$(uname -r) wireguard
Or run these commands on your normal user:
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable sudo apt update sudo apt install linux-headers-$(uname -r) wireguard
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
[Interface] PrivateKey = PRIVATE_KEY Address = 10.x.x.x/x #DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0 [Peer] PublicKey = Server_Public_Key AllowedIPs = 0.0.0.0/0 # or subnets you want to allow Endpoint = ip:51820 # PersistentKeepalive = 25 # optional
[Interface] PrivateKey = PRIVATE_KEY Address = 10.x.x.x/x ListenPort = 51820 PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE [Peer] PublicKey = Client_Public_key AllowedIPs = 10.x.x.x/32
PUBLIC_INTERFACE with your interface, such as
Enable IPv4 packet forwarding
/etc/sysctl.d/99-sysctl.conf, uncomment line
To apply, reboot or run
sudo sysctl -p.
Replace wg0 with the filename (without extension) you have in
sudo systemctl enable --now wg-quick@wg0