How To Set up WireGuard VPN Server on Debian 11

In this article, we want to teach you How To Set up WireGuard VPN Server on Debian 11.

WireGuard is a security-focused virtual private network (VPN) known for its simplicity and ease of use. It uses proven cryptography protocols and algorithms to protect data.

Originally developed for the Linux kernel, it is now deployable on Windows, macOS, BSD, iOS, and Android.

How To Set up WireGuard VPN Server on Debian 11

To set up WireGuard VPN on your server, you need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow or article the Initial Server Setup with Debian 11.

Now follow the steps below to install the WireGuard VPN server on Debian 11 and your client machine.

Install and Configure WireGuard VPN Server on Debian 11

WireGuard is available in the default Debian 11 repository. First, update your local package index with the following command:

sudo apt update

Then, install WireGuard and its dependencies with the following command:

sudo apt install wireguard wireguard-tools linux-headers-$(uname -r)

When your installation is completed, you need to create a private and public key pair for the WireGuard VPN server.

First, switch to your WireGuard directory with the following command:

cd /etc/wireguard/

Then, run the command below to generate your private and public key pair:

sudo umask 077; wg genkey | tee privatekey | wg pubkey > publickey

To display your keys, you can run the commands below:

$ sudo cat privatekey
$ sudo cat publickey

Note: Note down your private key to update your wg0.conf file.

Now you need to create the wg0.conf file with your favorite text editor, here we use vi:

sudo vi /etc/wireguard/wg0.conf

Add the following content to the file, remember to replace the private key with your own:

## Set Up WireGuard VPN on Debian By Editing/Creating wg0.conf File ##
[Interface]
## My VPN server private IP address ##
Address = 192.168.10.1/24
 
## My VPN server port ##
ListenPort = 51194
 
## VPN server's private key i.e. /etc/wireguard/privatekey ##
PrivateKey = your-private-key
 
## Save and update this config file when a new peer (vpn client) added ##
SaveConfig = true

When you are done, save and close the file.

We assumed that you have enabled the UFW firewall. Now you need to open the WireGuard port through the Debian 11 firewall with the following command:

sudo ufw allow 51194/udp

Start WireGurd VPN service on Debian 11

At this point, you can start your WireGuard VPN service with the following command:

sudo systemctl start [email protected]

You can enable your WireGuard VPN service to start on boot with the command below:

sudo systemctl enable [email protected]

Then, use the following command to get your service status:

sudo systemctl status [email protected]
Output
[email protected] - WireGuard via wg-quick(8) for wg0
Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor pre>
Active: active (exited) since Tue 2022-02-08 02:49:42 EST; 1min 18s ago
Docs: man:wg-quick(8)
man:wg(8)
https://www.wireguard.com/
https://www.wireguard.com/quickstart/
https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8
https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8
Main PID: 6542 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 2340)
Memory: 0B
CPU: 0
CGroup: /system.slice/system-wg\x2dquick.slice/[email protected]

Also, you can verify that interface named wg0 is up and running on Debian 11 with the following commands:

sudo wg
Output
interface: wg0
public key: SJTBnAY969M4ffZxAnrrngLW39zRr00Y0nPD1u7QQiQ=
private key: (hidden)
listening port: 51194
sudo ip a show wg0
Output
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOup default qlen 1000
link/none
inet 192.168.10.1/24 scope global wg0
valid_lft forever preferred_lft forever

Here you have installed and configured the WireGaurd VPN service on your Debian 11 server. Now you need to set up the WireGurd VPN client configuration.

Install and Configure WireGuard VPN Server on the Client machine

At this point, you need to set up the WireGuard client VPN. It is the same as the steps on the server.

First, install the WireGaurd client VPN on the Debian Linux 11 desktop with the following command:

$ sudo apt update
$ sudo apt install wireguard wireguard-tools linux-headers-$(uname -r)

Then, you need to create the WireGuard VPN client config file on your Debian Linux 11 desktop and generate your private and public key pair with the commands below:

$ sudo sh -c 'umask 077; touch /etc/wireguard/wg0.conf'
$ cd /etc/wireguard/
$ sudo umask 077; wg genkey | tee privatekey | wg pubkey > publickey
$ sudo cat privatekey
$ sudo cat publickey

Now open the wg0.conf file with your favorite text editor, here we use vi:

sudo vi /etc/wireguard/wg0.conf
[Interface]
## This Desktop/client's private key ##
PrivateKey = your-client-private-key
 
## Client ip address ##
Address = 192.168.10.2/24
 
[Peer]
## Debian 11 server public key ##
PublicKey = your-server-public-key
 
## set ACL ##
AllowedIPs = 192.168.10.0/24
 
## Your Debian 11 LTS server's public IPv4/IPv6 address and port ##
Endpoint = your-server-ip-address:51194
 
##  Key connection alive ##
PersistentKeepalive = 20

When you are done, save and close the file.

Now you need to start and enable your WireGuard VPN client with the commands below:

$ sudo systemctl enable [email protected]
$ sudo systemctl start [email protected]
$ sudo systemctl status [email protected]

At this point, you need to allow the desktop client and Debian server connection over VPN.

Allow Client and Server connection over WireGuard VPN

Here you need to configure the wg0.conf file from the server-side and allow a connection between the Desktop client computer and the server.

First, stop your WireGuard VPN service on Debian 11 with the following command:

sudo systemctl stop [email protected]

Then, open the wg0.conf file on Debian 11 with your favorite text editor, here we use vi:

sudo vi /etc/wireguard/wg0.conf

Add the peer/client section to the file:

[Peer]
## Desktop/client VPN public key ##
PublicKey = your-client-public-key
 
## client VPN IP address (note  the /32 subnet) ##
AllowedIPs = 192.168.10.2/32

When you are done, save and close the file.

Now start your service again with the following command:

sudo systemctl start [email protected]

At this point, both Debian servers and clients must be connected securely using a peer-to-peer VPN called WireGuard.

You can test your connection with the following commands on your client machine:

$ ping -c 4 192.168.10.1
$ sudo wg

Now try to ssh into the server using your VPN connection:

ssh [email protected]

Conclusion

At this point, you learn to set up and configure the WireGuard VPN server on both Debian 11 server and your client machine.

For more information, you can visit the WireGuard Documentation page.

Hope you enjoy it.

May this article about Install and Configure WireGuard on Ubuntu 20.04 be useful for you.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

POPULAR TAGS

Most Popular