Debian 10 has set up a WireGuard VPN server

How do I install and set up WireGuard VPN server on a Debian 10 Linux server? How can I configure Debian 10 as the WireGuard VPN server?

WireGuard is an open-source, free, modern, and fast VPN server with state-of-the-art cryptography. It is quicker and simpler as compared to IPSec and OpenVPN. Originally, released for the Linux kernel, but it is getting cross-platform support for other operating systems such as FreeBSD and others. This page explains how to install and set up WireGuard VPN on Debian 10 Linux server.

Adblock detected 😱

My website is made possible by displaying online advertisements to my visitors. I get it! Ads are annoying but they help keep this website running. It is hard to keep the site running and producing new content when so many people block ads. Please consider donating money to the nixCraft via PayPal/Bitcoin, or become a supporter using Patreon.

Advertisements

Procedure: Debian 10 set up WireGuard VPN server

Our sample setup includes a simple peer connection between a cloud server running Debian 10 LTS server, and a Debian/Ubuntu/RHEL/SUSE/OpenSUSE/CentOS Linux desktop client (or iOS/Android app):
Debian 10 has set up a WireGuard VPN server
The steps are as follows for installing and configuring WireGuard on a Debian Linux 10 as a VPN server.

Please note that {[email protected]:~ }$ OR {[email protected]:~ }$ is my shell prompt and is not part of actual commands. In other words, you need to copy and paste command after my shell prompt.

Step 1 – Update your system

Run the apt command/apt-get command to install Debian 10 security updates:
{[email protected]:~ }$ sudo apt update
{[email protected]:~ }$ sudo apt upgrade

Step 2 – Enable Debian 10 buster backports repo

Wireguard is in Debian backported repo. Hence, enable backports as follows, run:
{[email protected]:~ }$ sudo sh -c “echo ‘deb http://deb.debian.org/debian buster-backports main contrib non-free’ > /etc/apt/sources.list.d/buster-backports.list”
Use the cat command to verify repo:
{[email protected]:~ }$ cat /etc/apt/sources.list.d/buster-backports.list
Update the repo, run:
{[email protected]:~ }$ sudo apt update

Hit:1 http://mirrors.linode.com/debian buster InRelease
Hit:2 http://mirrors.linode.com/debian-security buster/updates InRelease
Hit:3 http://mirrors.linode.com/debian buster-updates InRelease
Get:4 http://deb.debian.org/debian buster-backports InRelease [46.7 kB] Get:5 http://deb.debian.org/debian buster-backports/main amd64 Packages [292 kB] Get:6 http://deb.debian.org/debian buster-backports/main Translation-en [227 kB] Get:7 http://deb.debian.org/debian buster-backports/contrib amd64 Packages [7,448 B] Get:8 http://deb.debian.org/debian buster-backports/contrib Translation-en [5,492 B] Get:9 http://deb.debian.org/debian buster-backports/non-free amd64 Packages [23.3 kB] Get:10 http://deb.debian.org/debian buster-backports/non-free Translation-en [30.3 kB] Fetched 632 kB in 2s (287 kB/s)
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.

Hit:1 http://mirrors.linode.com/debian buster InRelease
Hit:2 http://mirrors.linode.com/debian-security buster/updates InRelease
Hit:3 http://mirrors.linode.com/debian buster-updates InRelease
Get:4 http://deb.debian.org/debian buster-backports InRelease [46.7 kB] Get:5 http://deb.debian.org/debian buster-backports/main amd64 Packages [292 kB] Get:6 http://deb.debian.org/debian buster-backports/main Translation-en [227 kB] Get:7 http://deb.debian.org/debian buster-backports/contrib amd64 Packages [7,448 B] Get:8 http://deb.debian.org/debian buster-backports/contrib Translation-en [5,492 B] Get:9 http://deb.debian.org/debian buster-backports/non-free amd64 Packages [23.3 kB] Get:10 http://deb.debian.org/debian buster-backports/non-free Translation-en [30.3 kB] Fetched 632 kB in 2s (287 kB/s)
Reading package lists… Done
Building dependency tree
Reading state information… Done
All packages are up to date.

Search for the WireGuard package

Run the following command:
{[email protected]:~ }$ apt search wireguard

Sorting… Done
Full Text Search… Done
wireguard/buster-backports 1.0.20200319-1~bpo10+1 all
fast, modern, secure kernel VPN tunnel (metapackage)

wireguard-dkms/buster-backports 0.0.20200318-1~bpo10+1 all
fast, modern, secure kernel VPN tunnel (DKMS version)

wireguard-tools/buster-backports 1.0.20200319-1~bpo10+1 amd64
fast, modern, secure kernel VPN tunnel (userland utilities)

Sorting… Done
Full Text Search… Done
wireguard/buster-backports 1.0.20200319-1~bpo10+1 all
fast, modern, secure kernel VPN tunnel (metapackage) wireguard-dkms/buster-backports 0.0.20200318-1~bpo10+1 all
fast, modern, secure kernel VPN tunnel (DKMS version) wireguard-tools/buster-backports 1.0.20200319-1~bpo10+1 amd64
fast, modern, secure kernel VPN tunnel (userland utilities)

Step 3 – Installing a WireGuard VPN server on Debian 10 LTS

Now, we got our server updates with the latest security patches and buster-backports is enabled. It is time for setting up a WireGuard VPN server on Debian 10 server. Enter:
{[email protected]:~ }$ sudo apt install wireguard
Debian 10 has set up a WireGuard VPN server

Step 4 – Configuring WireGuard server

First we need to create a private and public key pair for the WireGuard server. Let us cd into /etc/wireguard/ directory using the cd command as follows:
{[email protected]:~ }$ sudo -i
{[email protected]:~ }# cd /etc/wireguard/
Execute the following command:
{[email protected]:~ }# umask 077; wg genkey | tee privatekey | wg pubkey > publickey
To view keys created use the cat command and ls command:
{[email protected]:~ }# ls -l privatekey publickey
{[email protected]:~ }# cat privatekey
## Please note down the private key ##
{[email protected]:~ }# cat publickey
Debian 10 has set up a WireGuard VPN server

Set Up WireGuard VPN on Debian by Editing wg0.conf

Edit or update the /etc/wireguard/wg0.conf file as follows:
{[email protected]:~ }$ sudo nano /etc/wireguard/wg0.conf
## OR ##
{[email protected]:~ }$ sudo vim /etc/wireguard/wg0.conf
Append the following config directives:

## Set Up WireGuard VPN on Debian By Editing/Creating wg0.conf File ##
[Interface] ## My VPN server private IP address ##
Address = 192.168.10.1/24

## My VPN server port ##
ListenPort = 51194

## VPN server’s private key i.e. /etc/wireguard/privatekey ##
PrivateKey = eEvqkSJVw/7cGUEcJXmeHiNFDLBGOz8GpScshecvNHU

## Save and update this config file when a new peer (vpn client) added ##
SaveConfig = true

## Set Up WireGuard VPN on Debian By Editing/Creating wg0.conf File ##
[Interface] ## My VPN server private IP address ##
Address = 192.168.10.1/24
## My VPN server port ##
ListenPort = 51194
## VPN server’s private key i.e. /etc/wireguard/privatekey ##
PrivateKey = eEvqkSJVw/7cGUEcJXmeHiNFDLBGOz8GpScshecvNHU
## Save and update this config file when a new peer (vpn client) added ##
SaveConfig = true

Save and close the file when using vim text editor.

Step 5 – Set up UFW firewall rules

I am assuming that you have UFW configured and we are going to open UDP 51194 port using the ufw command as follows:
{[email protected]:~ }$ sudo ufw allow 51194/udp
Rule added
Rule added (v6)
See “How To Configure Firewall with UFW on Debian 10 LTS” for more info.

Step 6 – Enable and start WireGuard service

Turn the WireGuard service at boot time using the systemctl command, run:
{[email protected]:~ }$ sudo systemctl enable [email protected]
Start the service, execute:
{[email protected]:~ }$ sudo systemctl start [email protected]
Get the service status, run:
{[email protected]:~ }$ sudo systemctl status [email protected]

Verify that interface named wg0 is up and running on Debian server using the ip command:
{[email protected]:~ }$ sudo wg
{[email protected]:~ }$ sudo ip a show wg0
Debian 10 has set up a WireGuard VPN server

Step 7 – Wireguard VPN client configuration

The procedure for installing and configuring a VPN client is the same as setting up the server. Let us install the client on an Debian Linux 10 desktop:
{[email protected]:~ }$ sudo sh -c “echo ‘deb http://deb.debian.org/debian buster-backports main contrib non-free’ > /etc/apt/sources.list.d/buster-backports.list”
{[email protected]:~ }$ sudo apt update
Install wireguard on Linux desktop, run:
{[email protected]:~ }$ sudo apt install wireguard
Next we need create VPN client config on Debian/Debian/CentOS Linux destkop:
{v[email protected]:~ }$ sudo sh -c ‘umask 077; touch /etc/wireguard/wg0.conf’
{[email protected]:~ }$ sudo -i
{[email protected]:~ }# cd /etc/wireguard/
{[email protected]:~ }# umask 077; wg genkey | tee privatekey | wg pubkey > publickey
{[email protected]:~ }# ls -l publickey privatekey
## Note down the privatekey ##
{[email protected]:~ }# cat privatekey
Debian 10 has set up a WireGuard VPN server
Edit the /etc/wireguard/wg0.conf file:
{[email protected]:~ }$ sudo nano /etc/wireguard/wg0.conf
## OR ##
{[email protected]:~ }$ sudo vim /etc/wireguard/wg0.conf
Append the following directives:

[Interface] ## This Desktop/client’s private key ##
PrivateKey = uJPzgCQ6WNlAUp3s5rabE/EVt1qYh3Ym01sx6oJI0V4

## Client ip address ##
Address = 192.168.10.2/24

[Peer] ## Debian 10 server public key ##
PublicKey = qdjdqh2pN3DEMDUDRob8K3bp9BZFJbT59fprBrl99zM

## set ACL ##
AllowedIPs = 192.168.10.0/24

## Your Debian 10 LTS server’s public IPv4/IPv6 address and port ##
Endpoint = 172.105.112.120:51194

## Key connection alive ##
PersistentKeepalive = 20

[Interface] ## This Desktop/client’s private key ##
PrivateKey = uJPzgCQ6WNlAUp3s5rabE/EVt1qYh3Ym01sx6oJI0V4
## Client ip address ##
Address = 192.168.10.2/24
[Peer] ## Debian 10 server public key ##
PublicKey = qdjdqh2pN3DEMDUDRob8K3bp9BZFJbT59fprBrl99zM
## set ACL ##
AllowedIPs = 192.168.10.0/24
## Your Debian 10 LTS server’s public IPv4/IPv6 address and port ##
Endpoint = 172.105.112.120:51194
## Key connection alive ##
PersistentKeepalive = 20

Enable and start VPN client/peer connection, run:
{[email protected]:~ }$ sudo systemctl enable [email protected]
{[email protected]:~ }$ sudo systemctl start [email protected]
{[email protected]:~ }$ sudo systemctl status [email protected]

Allow desktop client and Debian server connection over VPN (peer)

We need to configure the server-side peer-to-peer VPN option and allow a connection between the Desktop client computer and the server. Let us go back to our Debian 10 LTS server and edit the wg0.conf file to add [Peer] (client) information as follows (type commands on your server box):
{[email protected]:~ }$ sudo systemctl stop [email protected]
{[email protected]:~ }$ sudo vi /etc/wireguard/wg0.conf
Append the following config:

[Peer] ## Desktop/client VPN public key ##
PublicKey = 2H8vRWKCrddLf8vPwwTLMfZcRhOj10UBdc0j8W7yQAk=

## client VPN IP address (note the /32 subnet) ##
AllowedIPs = 192.168.10.2/32

[Peer] ## Desktop/client VPN public key ##
PublicKey = 2H8vRWKCrddLf8vPwwTLMfZcRhOj10UBdc0j8W7yQAk=
## client VPN IP address (note the /32 subnet) ##
AllowedIPs = 192.168.10.2/32

Save and close the file. Next start the service again, run:
{[email protected]:~ }$ sudo systemctl start [email protected]

Step 8 – Verification

That is all, folks. By now, both Debian servers and clients must be connected securely using a peer-to-peer VPN called WireGuard. Let us test the connection. Type the following ping command on your client machine/desktop system:
{[email protected]:~ }$ ping -c 4 192.168.10.1
{[email protected]:~ }$ sudo wg
## try to ssh into server using our VPN connection ##
{[email protected]:~ }$ ssh [email protected]
Debian 10 has set up a WireGuard VPN server

Conclusion

Congratulation! You just learned about setting up a WireGuard VPN server on Debian 10 LTS server and peer (client machine) on both Debian/CentOS Linux desktop. I strongly suggest that you read WireGuard project documentation here.

ADVERTISEMENTS

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.install wireguard debian,wireguard server list

You May Also Like

World of Warcraft Classic: Some Players Use Illegal Tools to Stay Connected

Earlier this week, Blizzard released World of Warcraft Classic. The launch was,…

Crash Team Racing Bientt Back on Ps4!

Activision seems not to have finished with the remastering of the Playstation…

Calculation Number of Days Between Two Dates

Topic: Delphi Language charlene44 wrote: 18/08/2006 at 15h08 calculation of number of…