Debian setup WireGuard VPN

WireGuard on Debian 12 / Unstable branch

Installation step


echo "deb http://cdn-fastly.deb.debian.org/debian/ unstable main contrib non-free" > /etc/apt/sources.list

apt update -y 
apt install linux-headers-amd64
apt install wireguard 

Here: https://www.wireguardconfig.com

Old school way to generate the public and private key

(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)

wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey

Edit the wg0.conf file

## Vultr server has to change eth0 into ens3
# Edit wg0.conf
nano /etc/wireguard/wg0.conf

[Interface]
PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 1723 # UDP
Address = 10.8.3.1/32, fd42:42:44::1/64

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#SaveConfig = true

## Generate from Android or other device
PublicKey = PUBLIC_KEY_ON_ANDROID
AllowedIPs = xxxx 

Save and fire it up!

wg-quick down wg0
wg-quick up wg0

Make it auto start on boot

systemctl enable wg-quick@wg0

Enable port forwarding

nano /etc/sysctl.conf 

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

//Save
sysctl -p 

Client config

[Interface]
PrivateKey = <Output of privatekey file that contains your private key>
Address = 10.8.3.14/32, fd42:42:44::14/64
DNS= 10.8.3.1
 
[Peer]
PublicKey = <Server's public key from *wg show* command on server>
Endpoint = <Linux server's Public IP>:993
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Troubleshooting

Reinstall Wireguard

// If you need reinstall
apt remove wireguard-dkms wireguard-tools wireguard
apt --fix-broken install && apt install wireguard 

If you using Google cloud with one-key Wireguard setup, and facing following error

$ ip link add dev wg0 type wireguard
RNETLINK answers: Operation not supported 

Solution

// Get latest linux-header
apt-get install libmnl-dev libelf-dev linux-headers-$(uname -r) build-essential pkg-config

// install wiregurad-tools again
apt-get install wireguard-dkms wireguard-tools

// Done
Credit: https://askubuntu.com/questions/973297/rnetlink-answers-operation-not-supported-fresh-ubuntu-fresh-wireguard

Sample wg0.conf

[Interface]
PrivateKey = 
#Publickey = 
ListenPort = 1723
Address = 10.8.3.1/24, fd42:42:44::1/64

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE

[Peer]
# Mbpr 15 coolbitx
PublicKey = A6RfZTadqUZEsJXq+tg6H2NeaxB5FmzcVhVwJ/uoUUw=

AllowedIPs = 10.8.3.10/32, fd42:42:44::10/128
[Peer]
#Mbpr 15 personal
PublicKey = kyekTDeE0s3Xm/uB3XHQTjGWxPvuBrc97vTSm05ngXE=

AllowedIPs = 10.8.3.11/32, fd42:42:44::11/128
[Peer]
# Iphone se
PublicKey = wMfGWgZlJ2RnOqy49Ho5iYFz3W+N2L19aD1MuwjOyDQ=

AllowedIPs = 10.8.3.12/32, fd42:42:44::12/128
[Peer]
# Iphone 11
PublicKey = ppyQ2za4zi8nFQyb3M+6MRwUee50tVweGBVaygCUe1o=

AllowedIPs = 10.8.3.13/32, fd42:42:44::13/128
[Peer]
# Oneplus
PublicKey = 0UTsdJqCxxL429tzWZnuyFjmlrpcR1sud7pAMys6HFc=

AllowedIPs = 10.8.3.14/32, fd42:42:44::14/128
[Peer]
# Ipad
PublicKey = WemttxN/Lt/260DOZAB3OC7Pfbea/UmBqfVeAnJa7BI=

AllowedIPs = 10.8.3.15/32, fd42:42:44::15/128
[Peer]
# Asus
PublicKey = GjajCWaFagQTwL9xLnB1b3S3I2xi7W0ZxtsxL4Cjk2E=

AllowedIPs = 10.8.3.16/32, fd42:42:44::16/128
[Peer]
#
PublicKey = j5thMmwrl9FE/BqjJr0I8x4UYJxxWPsHw06Y3J+qigQ=

AllowedIPs = 10.8.3.17/32, fd42:42:44::17/128

Photo by Matteo Catanese on Unsplash