Share your love
Set up WireGuard VPN Server on Debian 11 – Easy Setup
In this article, we want to teach you how to Set up WireGuard VPN Server on Debian 11. WireGuard is a security-focused virtual private network (VPN) known for its simplicity and ease of use. It uses proven cryptography protocols and algorithms to protect data. Originally developed for the Linux kernel, it is now deployable on Windows, macOS, BSD, iOS, and Android.
Now you can follow the below guide steps provided by the Orcacore team to Set up WireGuard VPN Server on Debian 11.
Table of Contents
Steps To Set up WireGuard VPN Server on Debian 11
To Set up WireGuard VPN Server on Debian 11, you need to log in to your server as a non-root user with sudo privileges and set up a basic firewall. To do this, you can follow or article the Initial Server Setup with Debian 11.
Now follow the steps below to Set up WireGuard VPN Server on Debian 11 and Configure your client machine.
Step 1 – Install WireGuard VPN Server on Debian 11
WireGuard is available in the default Debian 11 repository. First, update your local package index with the following command:
sudo apt update
Then, install WireGuard and its dependencies with the following command:
sudo apt install wireguard wireguard-tools linux-headers-$(uname -r)
When you are finished with the installation, you need to create a private and public key pair for the WireGuard VPN server.
Create private and public key pairs for WireGuard VPN server
First, switch to your WireGuard directory with the following command:
cd /etc/wireguard/
Then, run the command below to generate your private and public key pair:
sudo umask 077; wg genkey | tee privatekey | wg pubkey > publickey
To display your keys, you can run the commands below:
$ sudo cat privatekey $ sudo cat publickey
Note: Note down your private key to update your wg0.conf file.
Now you need to create the wg0.conf file with your favorite text editor, here we use vi:
sudo vi /etc/wireguard/wg0.conf
Add the following content to the file, remember to replace the private key with your own:
## Set Up WireGuard VPN on Debian By Editing/Creating wg0.conf File ## [Interface] ## My VPN server private IP address ## Address = 192.168.10.1/24 ## My VPN server port ## ListenPort = 51194 ## VPN server's private key i.e. /etc/wireguard/privatekey ## PrivateKey = your-private-key ## Save and update this config file when a new peer (vpn client) added ## SaveConfig = true
When you are done, save and close the file.
We assumed that you have enabled the UFW firewall. Now you need to open the WireGuard port through the Debian 11 firewall with the following command:
sudo ufw allow 51194/udp
Step 2 – Manage WireGurd VPN service on Debian 11
At this point of Set up WireGuard VPN Server on Debian 11, you can start your WireGuard VPN service with the following command:
sudo systemctl start wg-quick@wg0
You can enable your WireGuard VPN service to start on boot with the command below:
sudo systemctl enable wg-quick@wg0
Then, use the following command to get your service status:
sudo systemctl status wg-quick@wg0
Output wg-quick@wg0.service - WireGuard via wg-quick(8) for wg0 Loaded: loaded (/lib/systemd/system/wg-quick@.service; enabled; vendor pre> Active: active (exited) since Tue 2022-02-08 02:49:42 EST; 1min 18s ago Docs: man:wg-quick(8) man:wg(8) https://www.wireguard.com/ https://www.wireguard.com/quickstart/ https://git.zx2c4.com/wireguard-tools/about/src/man/wg-quick.8 https://git.zx2c4.com/wireguard-tools/about/src/man/wg.8 Main PID: 6542 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 2340) Memory: 0B CPU: 0 CGroup: /system.slice/system-wg\x2dquick.slice/wg-quick@wg0.service
Also, you can verify that the interface named wg0 is up and running on Debian 11 with the following commands:
sudo wg
Output
interface: wg0
public key: SJTBnAY969M4ffZxAnrrngLW39zRr00Y0nPD1u7QQiQ=
private key: (hidden)
listening port: 51194
sudo ip a show wg0
Output
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOup default qlen 1000
link/none
inet 192.168.10.1/24 scope global wg0
valid_lft forever preferred_lft forever
Here you have installed and configured the WireGaurd VPN service on your Debian 11 server. Now you need to set up the WireGurd VPN client configuration.
Step 3 – Install WireGuard Client on Debian 11
At this point, you have learned to Set up WireGuard VPN Server on Debian 11. Now you need to set up the WireGuard client VPN. It is the same as the steps on the server.
First, install the WireGaurd client VPN on the Debian Linux 11 desktop with the following command:
$ sudo apt update $ sudo apt install wireguard wireguard-tools linux-headers-$(uname -r)
Then, you need to create the WireGuard VPN client config file on your Debian Linux 11 desktop and generate your private and public key pair with the commands below:
$ sudo sh -c 'umask 077; touch /etc/wireguard/wg0.conf' $ cd /etc/wireguard/ $ sudo umask 077; wg genkey | tee privatekey | wg pubkey > publickey $ sudo cat privatekey $ sudo cat publickey
Now open the wg0.conf file with your favorite text editor, here we use vi:
sudo vi /etc/wireguard/wg0.conf
[Interface] ## This Desktop/client's private key ## PrivateKey = your-client-private-key ## Client ip address ## Address = 192.168.10.2/24 [Peer] ## Debian 11 server public key ## PublicKey = your-server-public-key ## set ACL ## AllowedIPs = 192.168.10.0/24 ## Your Debian 11 LTS server's public IPv4/IPv6 address and port ## Endpoint = your-server-ip-address:51194 ## Key connection alive ## PersistentKeepalive = 20
When you are done, save and close the file.
Now you need to start and enable your WireGuard VPN client with the commands below:
$ sudo systemctl enable wg-quick@wg0 $ sudo systemctl start wg-quick@wg0 $ sudo systemctl status wg-quick@wg0
At this point, you need to allow the desktop client and Debian server connection over VPN.
Step 4 – Allow Client and Server connection over WireGuard VPN
Here you need to configure the wg0.conf file from the server side and allow a connection between the Desktop client computer and the server.
First, stop your WireGuard VPN service on Debian 11 with the following command:
sudo systemctl stop wg-quick@wg0
Then, open the wg0.conf file on Debian 11 with your favorite text editor, here we use vi:
sudo vi /etc/wireguard/wg0.conf
Add the peer/client section to the file:
[Peer] ## Desktop/client VPN public key ## PublicKey = your-client-public-key ## client VPN IP address (note the /32 subnet) ## AllowedIPs = 192.168.10.2/32
When you are done, save and close the file.
Now start your service again with the following command:
sudo systemctl start wg-quick@wg0
At this point, both Debian servers and clients must be connected securely using a peer-to-peer VPN called WireGuard.
You can test your connection with the following commands on your client machine:
$ ping -c 4 192.168.10.1 $ sudo wg
Now try to ssh into the server using your VPN connection:
ssh olivia@192.168.10.1
For more information, you can visit the WireGuard Documentation page.
Conclusion
At this point, you have learned to Set up WireGuard VPN Server on Debian 11 and Configure the VPN Client machine. WireGuard provides a high-performance alternative to traditional VPN protocols. By following the steps outlined, you can ensure secure, encrypted communication between your devices, improving privacy and protection.
Hope you enjoy it. Also, you may like to read the following articles:
Pritunl VPN Server Setup on Debian 12