Open main menu

WireGuard is an open source VPN protocol. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.

Installation on Debian 9+

If you do not use Debian 9+, follow guides on Wireguard’s install page.

Run these commands with root user:

echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install linux-headers-$(uname -r) wireguard

Or run these commands on your normal user:

echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' | sudo tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install linux-headers-$(uname -r) wireguard

Generate keys

umask 077; wg genkey | tee privatekey | wg pubkey > publickey

Configuration

Client

/etc/wireguard/wg0.conf

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0

[Peer]
PublicKey = Server_Public_Key
AllowedIPs = 0.0.0.0/0 # or subnets you want to allow
Endpoint = ip:51820
# PersistentKeepalive = 25 # optional

Server

[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
ListenPort = 51820
PostUp   = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE

[Peer]
PublicKey = Client_Public_key
AllowedIPs = 10.x.x.x/32

Replace PUBLIC_INTERFACE with your interface, such as eth0.

Enable IPv4 packet forwarding

In /etc/sysctl.d/99-sysctl.conf, uncomment line #net.ipv4.ip_forward=1.

To apply, reboot or run sudo sysctl -p.

Daemonizing

Replace wg0 with the filename (without extension) you have in /etc/wireguard/.

sudo systemctl enable --now wg-quick@wg0