How do I install and set up WireGuard VPN server on a Debian 10 Linux server? How can I configure Debian 10 as the WireGuard VPN server?
WireGuard is an open-source, free, modern, and fast VPN server with state-of-the-art cryptography. It is quicker and simpler as compared to IPSec and OpenVPN. Originally, released for the Linux kernel, but it is getting cross-platform support for other operating systems such as FreeBSD and others. This page explains how to install and set up WireGuard VPN on Debian 10 Linux server.
Procedure: Debian 10 set up WireGuard VPN server
Our sample setup includes a simple peer connection between a cloud server running Debian 10 LTS server, and a Debian/Ubuntu/RHEL/SUSE/OpenSUSE/CentOS Linux desktop client (or iOS/Android app):
Step 1 – Update your system
Run the apt command/apt-get command to install Debian 10 security updates:
apt-get update&&apt-get upgradeStep 2 – Enable Debian 10 buster backports repo
Wireguard is in Debian backported repo. Hence, enable backports as follows, run:
sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"Use the cat command to verify repo:
cat /etc/apt/sources.list.d/buster-backports.listUpdate the repo, run:
apt updateSearch for the WireGuard package
Run the following command:
apt search wireguardStep 3 – Installing a WireGuard VPN server on Debian 10 LTS
Now, we got our server updates with the latest security patches and buster-backports is enabled. It is time for setting up a WireGuard VPN server on Debian 10 server. Enter:
apt install wireguardStep 4 – Configuring WireGuard server
First we need to create a private and public key pair for the WireGuard server. Let us cd into /etc/wireguard/ directory using the cd command as follows:
cd /etc/wireguard/Execute the following command:
umask 077; wg genkey | tee privatekey | wg pubkey > publickeyTo view keys created use the cat command and ls command:
# ls -l privatekey publickey # cat privatekey ## Please note down the private key ## # cat publickey
Set Up WireGuard VPN on Debian by Editing wg0.conf
Edit or update the /etc/wireguard/wg0.conf file as follows:
nano /etc/wireguard/wg0.confAppend the following config directives:
## Set Up WireGuard VPN on Debian By Editing/Creating wg0.conf File ##
[Interface]
## My VPN server private IP address ##
Address = 192.168.10.1/24
## My VPN server port ##
ListenPort = 51194
## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = eEvqkSJVw/7cGUEcJXmeHiNFDLBGOz8GpScshecvNHU
## Save and update this config file when a new peer (vpn client) added ##
SaveConfig = trueSave and close the file when using vim text editor.
Step 5 – Set up UFW firewall rules
I am assuming that you have UFW configured and we are going to open UDP 51194 port using the ufw command as follows:
# ufw allow 51194/udpSee “How To Configure Firewall with UFW on Debian 10 LTS” for more info.
Step 6 – Enable and start WireGuard service
Turn the WireGuard service at boot time using the systemctl command, run:
# systemctl enable wg-quick@wg0Start the service, execute:
# systemctl start wg-quick@wg0Get the service status, run:
# systemctl status wg-quick@wg0Verify that interface named wg0 is up and running on Debian server using the ip command:
# sudo wg
# ip a show wg0
Step 7 – Wireguard VPN client configuration
The procedure for installing and configuring a VPN client is the same as setting up the server. Let us install the client on an Debian Linux 10 desktop:
# sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"
# apt updateInstall wireguard on Linux desktop, run:
apt install wireguardNext we need create VPN client config on Debian/Debian/CentOS Linux destkop:
# sh -c 'umask 077; touch /etc/wireguard/wg0.conf'
# cd /etc/wireguard/
# umask 077; wg genkey | tee privatekey | wg pubkey > publickey
# ls -l publickey privatekey
## Note down the privatekey ##
# cat privatekey
nano /etc/wireguard/wg0.confAppend the following directives:
[Interface]
## This Desktop/client's private key ##
PrivateKey = uJPzgCQ6WNlAUp3s5rabE/EVt1qYh3Ym01sx6oJI0V4
## Client ip address ##
Address = 192.168.10.2/24
[Peer]
## Debian 10 server public key ##
PublicKey = qdjdqh2pN3DEMDUDRob8K3bp9BZFJbT59fprBrl99zM
## set ACL ##
AllowedIPs = 192.168.10.0/24
## Your Debian 10 LTS server's public IPv4/IPv6 address and port ##
Endpoint = 172.105.112.120:51194
## Key connection alive ##
PersistentKeepalive = 20Enable and start VPN client/peer connection, run:
# systemctl enable wg-quick@wg0
# systemctl start wg-quick@wg0
# systemctl status wg-quick@wg0Allow desktop client and Debian server connection over VPN (peer)
We need to configure the server-side peer-to-peer VPN option and allow a connection between the Desktop client computer and the server. Let us go back to our Debian 10 LTS server and edit the wg0.conf file to add [Peer] (client) information as follows (type commands on your server box):
# systemctl stop wg-quick@wg0
# vi /etc/wireguard/wg0.confAppend the following config:
[Peer]
## Desktop/client VPN public key ##
PublicKey = 2H8vRWKCrddLf8vPwwTLMfZcRhOj10UBdc0j8W7yQAk=
## client VPN IP address (note the /32 subnet) ##
AllowedIPs = 192.168.10.2/32Save and close the file. Next start the service again, run:
systemctl start wg-quick@wg0Step 8 – Verification
That is all, folks. By now, both Debian servers and clients must be connected securely using a peer-to-peer VPN called WireGuard. Let us test the connection. Type the following ping command on your client machine/desktop system:
# ping -c 4 192.168.10.1
# wg
## try to ssh into server using our VPN connection ##
# ssh [email protected]
Step 9 – Firewall configurations
Now we have set up and configured peer-to-peer VPN networking for our server and client. However, you may want to give access to the Internet for all VPN clients. For these purposes, we need to set up IPv4 and IPv6 firewall rules, including NAT and IP forwarding. See the following tutorial:
- How To Set Up WireGuard Firewall Rules in Linux
Conclusion
Congratulation! You just learned about setting up a WireGuard VPN server on Debian 10 LTS server and peer (client machine) on both Debian/CentOS Linux desktop. I strongly suggest that you read WireGuard project documentation here.