Wireguard VPN Setup
Forward policy
Users needing to run a VPN such as OpenVPN or WireGuard will need to adjust the DEFAULT_FORWARD_POLICY variable in /etc/default/ufw from a value of "DROP" to "ACCEPT" for proper VPN operation.
Server setup
WireGuard Server: Debian
In this tutorial, we setup a WireGuard service on a Debian server. This example uses “vanilla” Debian Buster.
At the end of this tutorial, the Debian server will have a virtual network interface wg0 living on private network 10.0.2.0/24. The Debian server will be ready to add WireGuard clients. Platform Install sudo
In this tutorial, we execute all commands as a non-root user with help from the sudo command. Debian doesn’t always come with sudo installed.
Check that sudo is installed.
$ sudo -bash: sudo: command not found
In this example, the sudo command is missing. To fix, login as root, either via login prompt or via su - (which requires the root user password).
apt install sudo
Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: sudo 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. ... Setting up sudo (1.8.27-1+deb10u1) ... Processing triggers for man-db (2.8.5-2) ... Processing triggers for systemd (241-7~deb10u2) ...
Enable sudo
By default, Debian does not allow non-root users to use the sudo command.
Check your non-root user. In this example, the non-root user is jacob. Login in as the non-root user and run groups.
$ groups jacob cdrom floppy audio dip video plugdev netdev
If the sudo group is included in this list, then the non-root user can use sudo. In the above example, the group sudo does not appear. To fix, login as root, either via login prompt or via su - (which requires the root user password).
adduser jacob sudo
Logout the root user. If su - was used to run adduser then also logout the non-root user. Login as the non-root user and run groups again.
$ groups jacob cdrom floppy sudo audio dip video plugdev netdev
In the above example, the group sudo appears where it was missing before. Setup WireGuard Install WireGuard
To install a recent version of WireGuard, we’ll need packages from the Debian buster-backports repository. Add the backports repository, and pin the backports priority behind stable. This allows us to install selected packages that are not available in Debian stable, while keeping the “stable” versions of everything else.
$ sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list.d/backports.list" $ sudo sh -c "printf 'Package: *\nPin: release a=buster-backports\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-backports"
Update package information from both stable and unstable package repositories.
$ sudo apt update Hit:1 http://deb.debian.org/debian buster InRelease Hit:2 http://deb.debian.org/debian buster-updates InRelease Hit:3 http://security.debian.org/debian-security buster/updates InRelease Hit:4 http://deb.debian.org/debian buster-backports InRelease Reading package lists... Done Building dependency tree Reading state information... Done All packages are up to date.
Install the WireGuard packages. After this step, man wg and man wg-quick will work and the wg command gets bash completion.
$ sudo apt install wireguard --assume-yes Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: dkms linux-compiler-gcc-8-x86 linux-headers-4.19.0-16-amd64 linux-headers-4.19.0-16-common linux-headers-amd64 linux-kbuild-4.19 wireguard-dkms wireguard-tools Suggested packages: python3-apport menu openresolv | resolvconf The following NEW packages will be installed: dkms linux-compiler-gcc-8-x86 linux-headers-4.19.0-16-amd64 linux-headers-4.19.0-16-common linux-headers-amd64 linux-kbuild-4.19 wireguard wireguard-dkms wireguard-tools 0 upgraded, 9 newly installed, 0 to remove and 0 not upgraded. ... DKMS: install completed. Setting up wireguard-tools (1.0.20210223-1~bpo10+1) ... wg-quick.target is a disabled or a static unit, not starting it. Setting up linux-headers-4.19.0-16-common (4.19.181-1) ... Setting up wireguard (1.0.20210223-1~bpo10+1) ... Setting up linux-headers-4.19.0-16-amd64 (4.19.181-1) ... Setting up linux-headers-amd64 (4.19+105+deb10u11) ... Processing triggers for man-db (2.8.5-2) ...
Create Keys
In every client/server relationship, each peer has it’s own private and public keys. Create private and public keys for the WireGuard service. Protect the private key with a file mode creation mask.
$ (umask 077 && wg genkey > wg-private.key) $ wg pubkey < wg-private.key > wg-public.key
Print the private key, we’ll need it soon.
$ cat wg-private.key qPF9uU7qsCbw3uKR1t2Q0gfr2HasTKZGPkCHz2AszUs=
Create the WireGuard Network Device
Create the WireGuard service config file at /etc/wireguard/wg0.conf. (Use a command like sudo nano /etc/wireguard/wg0.conf.)
define the WireGuard service
[Interface]
contents of file wg-private.key that was recently created
PrivateKey = qPF9uU7qsCbw3uKR1t2Q0gfr2HasTKZGPkCHz2AszUs=
UDP service port; 51820 is a common choice for WireGuard
ListenPort = 51820
Create the WireGuard network device at /etc/network/interfaces.d/wg0. (Use a command like sudo nano /etc/network/interfaces.d/wg0.)
indicate that wg0 should be created when the system boots, and on ifup -a
auto wg0
describe wg0 as an IPv4 interface with static address
iface wg0 inet static
# static IP address
address 10.0.2.1/24
# before ifup, create the device with this ip link command
pre-up ip link add $IFACE type wireguard
# before ifup, set the WireGuard config from earlier
pre-up wg setconf $IFACE /etc/wireguard/$IFACE.conf
# after ifdown, destroy the wg0 interface
post-down ip link del $IFACE
Start WireGuard.
$ sudo ifup wg0
At any time, verify that the WireGuard configuration for wg0 is what you expect:
$ sudo wg show wg0 interface: wg0 public key: 2efuG9OYmMPQpbkJ8CVxGlvQflY6p1u+o4wjcgGII0A= private key: (hidden) listening port: 51820
At any time, verify that the wg0 network interface exists.
$ ip address show dev wg0
7: wg0:
Arch Linux client setup
AUR Package networkmanager-wireguard-git