Setup a VPN Server with WireGuard on Debian 9 [Linux Consulting & Training]

Setup a VPN Server with WireGuard on Debian 9 [Linux Consulting & Training]

Tested with Debian 9 (server side) and Ubuntu 18.04 (client side) on September 2018

Server Setup

Install WireGuard on the Server

Install WireGuard from Debian packages

echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list  echo -e "Package: *nPin: release a=unstablenPin-Priority: 150n" | tee /etc/apt/preferences.d/limit-unstable  sudo apt update  sudo apt install wireguard

Check if wireguard kernel has been loaded correctly

lsmod | grep wireguard

the output should not be blank. If necessary, you can try to load wireguard kernel module manually with

sudo modprobe wireguard

Generate Server Keys

Generate server private key with

wg genkey

Copy and note down the generated key (should be something like SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=).

Then, generate the corresponding public key with:

echo "SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=" | wg pubkey

and note down the generated public key (in our example will be SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk=).

Generate User Keys

Generate user private key (one per user!) with

wg genkey

Copy and note down the generated key (should be something like UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=).

Then, generate the corresponding public key with:

echo "UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE=" | wg pubkey

and note down the generated public key (in our example will be UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=).

Configure the Server

Check the name of the network interface with

ip l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00  2: ens32: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000      link/ether 00:0c:29:5a:8c:02 brd ff:ff:ff:ff:ff:ff

In our case the public network interface is ens32. Note down the public IP address of the server associated to the interface. In our example will be 1.2.3.4 (no, I’m not from APNIC) – you can check yours with

ip a show dev ens32

Now, create a file for the wireguard interface (wg0s in our example) with

sudo vim /etc/wireguard/wg0s.conf

and add the following content (replace the sample keys with your actually generated keys and ens32 with your server’s public interface):

[Interface]  Address = 172.16.16.1/24  PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens32 -j MASQUERADE  PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens32 -j MASQUERADE  ListenPort = 5544  PrivateKey = SeRvErPRIVATEkEySeRvErPRIVATEkEySeRvErPRIVA=    [Peer]  PublicKey = UsEr1PUBLICkEyUsEr1PUBLICkEyUsEr1PUBLICkey=  AllowedIPs = 172.16.16.2/32

You can also change the ListenPort from 5544 to a different, unused port (and open the corresponding port on the server’s firewall).

Start the server

Start Wireguard on the server with

sudo wg-quick up wg0s

and check if the VPN tunnel is up and running with

wg show

If needed, you can kill the tunnel with

sudo wg-quick down wg0s

Client Setup

Install WireGuard on the Client

Install wireguard on your Ubuntu client with

sudo add-apt-repository ppa:wireguard/wireguard  sudo apt-get update  sudo apt-get install wireguard

Configure the Client

Now, create a file for the wireguard interface (wg0c in our example) on your Ubuntu client

sudo vim /etc/wireguard/wg0c.conf

and add the following content (remember replace the IP address of the Endpoint with server public address and the keys).

[Interface]  Address = 172.16.16.2/24  SaveConfig = true  ListenPort = 47824  FwMark = 0x1234  PrivateKey = UsEr1PRIVATEkEyUsEr1PRIVATEkEyUsEr1PRIVATE    [Peer]  PublicKey = SeRvErPUBLICkEySeRvErPUBLICkEySeRvErPUBLICk  AllowedIPs = 0.0.0.0/0, ::/0  Endpoint = 1.2.3.4:5544  PersistentKeepalive = 10

Start the client

Start Wireguard on with

sudo wg-quick up wg0c

and check if the VPN tunnel is up and running with

wg show

If needed, you can kill the tunnel with

sudo wg-quick down wg0c

Throubleshooting

  1. Do not mess up the keys – it’s quite easy to switch client and server, public and private (and break the tunnel)

  2. If you have a firewall running on your server, open the corresponding UDP port (5544 in the example above)

  3. If you are behind the Great Firewall, probably it will not work