1. Introduction to WireGuard

WireGuard is a popular VPN protocol that provides a lightweight and secure solution for establishing virtual private networks. It supports both IPv4 and IPv6 connections, allowing you to safely access the internet from your laptop or smartphone when connected to untrusted networks, such as public Wi-Fi.

Unlike other VPN software, like OpenVPN and IPSec, WireGuard uses a different approach to encryption. It relies on public and private keys for peers to establish an encrypted tunnel between themselves. This design ensures simplicity, security, and compatibility with different peers.

In this tutorial, we will guide you through the process of setting up WireGuard on a Debian 11 server. We’ll also show you how to configure a client machine to connect to the server as a peer using both IPv4 and IPv6 connections. Additionally, you’ll learn how to route the peer’s internet traffic through the WireGuard server in a gateway configuration.

2. Prerequisites

Before we start setting up WireGuard on your Debian 11 server, make sure you have the following:

• A Debian 11 server with a sudo non-root user and a firewall enabled. If you don’t have a server yet, you can follow our tutorial on how to set up an initial server with Debian 11.
• A client machine that you will use to connect to your WireGuard server. For the purpose of this tutorial, we’ll refer to this machine as the WireGuard Peer. While it’s recommended to use your local machine as the WireGuard Peer, you can also use remote servers or mobile phones as clients.
• If you plan to use WireGuard with IPv6, ensure that your server is configured to support IPv6 traffic. If you’re using a DigitalOcean Droplet, you can refer to their documentation on how to enable IPv6.

3. Installing WireGuard and Generating a Key Pair

The first step is to install WireGuard on your Debian 11 server. Update the package index and install WireGuard by running the following commands:

sudo apt update
sudo apt install wireguard

Once WireGuard is installed, you need to generate a private and public key pair for the server. Use the following commands to create the keys and change the permissions on the private key file:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

Make a note of the private key that is outputted, as you’ll need to add it to WireGuard’s configuration file later.

Next, create the corresponding public key by running the following command:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Copy the base64 encoded public key for future reference. This key will be distributed to any peers that connect to the server.

4. Choosing IPv4 and IPv6 Addresses

In this section, you’ll choose the IPv4 and IPv6 address ranges for your WireGuard server and peers. If you plan to use both IPv4 and IPv6, follow both subsections. Otherwise, choose the instructions that are appropriate for your network needs.

4(a) Choosing an IPv4 Range

If you’re using IPv4 with your WireGuard server and peers, you’ll need to select a range of private IPv4 addresses to use. You can choose any range from the following reserved blocks:

• 10.0.0.0 to 10.255.255.255 (10/8 prefix)
• 172.16.0.0 to 172.31.255.255 (172.16/12 prefix)
• 192.168.0.0 to 192.168.255.255 (192.168/16 prefix)

For this tutorial, let’s use the range 10.8.0.0/24 as an example. This range allows up to 255 peer connections and should not conflict with other private IP ranges. Choose a private IP address within this range for your server’s tunnel address. In this example, we’ll use 10.8.0.1/24.

4(b) Choosing an IPv6 Range

If you’re using IPv6 with WireGuard, you’ll need to generate a unique local IPv6 unicast address prefix based on the algorithm specified in RFC 4193. This prefix will be associated with the virtual tunnel interface for your WireGuard server.

To generate a random, unique IPv6 prefix within the reserved fd00::/8 block, follow these steps:

1. Collect a 64-bit timestamp using the date +%s%N command. This timestamp represents the number of seconds and nanoseconds since January 1, 1970, UTC.
2. Copy the machine ID value for your server from the /var/lib/dbus/machine-id file. This identifier is unique to your system and should remain constant.
3. Concatenate the timestamp and machine ID values and hash them using the SHA-1 algorithm. The resulting hash will be used as a unique address within the fd00::/8 block.

For example, if the timestamp is 1650301699497770167 and the machine ID is 610cef4946ed46da8f71dba9d66c67fb, you can generate the IPv6 prefix as follows:

printf "1650301699497770167610cef4946ed46da8f71dba9d66c67fb" | sha1sum | cut -c 31-

The output will be a set of bytes, such as 24609a6c18. Append this value to the fd prefix, separating each pair of bytes with a : colon. The resulting prefix will be fd24:609a:6c18::/64.

Choose an IP address within this range for your server’s tunnel address. In this example, we’ll use fd24:609a:6c18::1/64.

5. Creating a WireGuard Server Configuration

Now that you have generated the necessary keys and chosen the IP address ranges, it’s time to create the WireGuard server configuration file.

First, gather the following information:

• The private key you generated for the server
• The IP address(es) you chose for the server’s tunnel interface(s)
• The public key of the WireGuard peer(s) that will connect to the server
• The public IP address and port number of the server (usually the IPv4 address)

Open the configuration file using your preferred text editor:

sudo nano /etc/wireguard/wg0.conf

Add the following lines to the file, replacing the values with your own:

[Interface]
PrivateKey = <base64_encoded_private_key>
Address = 10.8.0.1/24, fd24:609a:6c18::1/64
ListenPort = 51820
SaveConfig = true

• PrivateKey: Replace <base64_encoded_private_key> with the private key you generated for the server.
• Address: Use the IP addresses you chose for the server’s tunnel interface(s).
• ListenPort: Optionally, you can change the port number if you prefer.
• SaveConfig: Set to true to save any changes to the configuration file.

Save and close the file.

6. Adjusting the WireGuard Server’s Network Configuration

If you want to route your WireGuard peer’s internet traffic through the WireGuard server, you’ll need to configure IP forwarding.

Open the /etc/sysctl.conf file using your preferred text editor:

sudo nano /etc/sysctl.conf

Add the following lines at the bottom of the file:

net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1

Save and close the file.

To apply the new settings, run the following command:

sudo sysctl -p

7. Configuring the WireGuard Server’s Firewall

To allow WireGuard VPN traffic through the server’s firewall, you’ll need to enable masquerading and add some firewall rules.

Open the WireGuard server’s configuration file again:

sudo nano /etc/wireguard/wg0.conf

Add the following lines at the bottom of the file, after the SaveConfig line:

PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

Save and close the file.

Additionally, open your server’s firewall to allow traffic to and from the WireGuard UDP port (by default, port 51820). If you haven’t already opened the SSH port, add it as well:

sudo ufw allow 51820/udp
sudo ufw allow OpenSSH

If you’re using a different firewall or have customized your UFW configuration, you may need to add additional firewall rules to allow other protocols or services over the VPN.

Disable and re-enable UFW to apply the changes:

sudo ufw disable
sudo ufw enable

Confirm the firewall rules by running:

sudo ufw status

8. Starting the WireGuard Server

WireGuard can be configured to run as a systemd service using the built-in wg-quick script. This allows you to manage the tunnel easily and ensure it starts up at boot.

Enable the WireGuard service by running the following command:

sudo systemctl enable wg-quick@wg0.service

Start the service:

sudo systemctl start wg-quick@wg0.service

To check the status of the WireGuard service, use the following command:

sudo systemctl status wg-quick@wg0.service

You should receive output indicating that the service is active and running.

9. Configuring a WireGuard Peer

Now that the WireGuard server is set up and running, it’s time to configure a WireGuard peer to connect to the server.

Ensure that WireGuard is installed on the peer machine:

sudo apt update
sudo apt install wireguard

Generate a private and public key pair for the peer by following the same steps as before:

wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key

Create the corresponding public key:

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

Open the WireGuard peer’s configuration file:

sudo nano /etc/wireguard/wg0.conf

Add the following lines to the file, replacing the values with your own:

[Interface]
PrivateKey = <base64_encoded_peer_private_key>
Address = 10.8.0.2/24, fd24:609a:6c18::2/64

[Peer]
PublicKey = <base64_encoded_server_public_key>
AllowedIPs = 10.8.0.0/24, fd24:609a:6c18::/64
Endpoint = <server_public_ip>:51820

• PrivateKey: Replace <base64_encoded_peer_private_key> with the private key you generated for the peer.
• Address: Use the IP addresses you chose for the peer’s tunnel interface.
• PublicKey: Replace <base64_encoded_server_public_key> with the public key of the WireGuard server.
• AllowedIPs: Specify the IP address ranges that the peer is allowed to use.
• Endpoint: Replace <server_public_ip> with the public IP address of the WireGuard server.

Save and close the file.

10. Adding the Peer’s Public Key to the WireGuard Server

To allow the peer to connect to the WireGuard server, you need to add the peer’s public key to the server’s configuration.

Log into the WireGuard server and run the following command:

sudo wg set wg0 peer <base64_encoded_peer_public_key> allowed-ips 10.8.0.2,fd24:609a:6c18::2

Replace  <base64_encoded_peer_public_key> with the public key of the WireGuard peer.

11. Connecting the WireGuard Peer to the Tunnel

To establish a connection between the WireGuard peer and the server, start the tunnel on the peer:

sudo wg-quick up wg0

Check the status of the tunnel on the peer:

sudo wg

You should see the details of the connection, including the peer’s public key, IP addresses, and the latest handshake time.

12. Conclusion

Congratulations! You have successfully set up WireGuard on your Debian 11 server and connected a peer device to establish a secure VPN connection. With WireGuard, you can now securely access resources on your server or route all your internet traffic through the VPN.

WireGuard offers a lightweight and efficient VPN solution that ensures simplicity, security, and compatibility across different platforms. It provides a secure and private network connection, allowing you to browse the internet safely, access your infrastructure remotely, and protect your sensitive data.

Remember to configure firewall rules and routing settings according to your specific requirements to ensure optimal performance and security.

For reliable and scalable cloud hosting solutions, consider Shape.host’s Linux SSD VPS services. Shape.host offers high-performance virtual private servers with a focus on speed, stability, and security. Visit Shape.host to learn more about their hosting plans and take your online presence to new heights.