| aliases | category | classification | date | date_modified | draft | id | image | links | local_archive_links | pinned | series | tags | title | type | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
network |
public |
2023-01-08 04:21:34 -0800 |
2023-01-08 04:21:34 -0800 |
false |
20230108122134 |
|
false |
false |
|
Setup WireGuard on Debian |
tech-note |
((TOC))
Important
This only works if your internet provider isn't using CGNAT. If that's the case, you must use a VPS, as described in [[20231209103435]].
[!info] Worth bearing in mind, I've now gone the Docker route with this, using wg-easy/wg-easy: The easiest way to run WireGuard VPN + Web-based Admin UI.
I've extracted what I needed to do from the clearest article I found on setting up WireGuard - How To Set Up WireGuard on Ubuntu 22.04 | DigitalOcean
Important
You must set UDP as the protocol when setting up the port forwarding rule on your router. Initially, I missed this and things were not working, with no obvious reason for ages (like 48 hours before I realised)!
sudo apt update
sudo apt install ufw wireguard wireguard-toolswg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.keysudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.keyCreate a WireGuard configuration file at /etc/wireguard/wg0.conf.
[Interface]
PrivateKey = <private-key-goes-here>
Address = 10.8.0.1/24
ListenPort = 51820
SaveConfig = trueUncomment the below line in /etc/sysctl.conf.
net.ipv4.ip_forward=1Reload sysctl.
sudo sysctl -pAdd the below rules to your wg0.conf, and make sure that eth0 is your primary network interface's name.
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADEsudo ufw allow 51820/udp
sudo ufw allow OpenSSH
sudo ufw disable
sudo ufw enableThe server's wg0.conf should now look like the below.
[Interface]
PrivateKey = <private-key-goes-here>
Address = 10.8.0.1/24
ListenPort = 51820
PostUp = ufw route allow in on wg0 out on eth0
PostUp = iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on eth0
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
SaveConfig = trueYou can now start it using systemd.
sudo systemctl enable --now wg-quick@wg0.serviceInstall WireGuard on the peer.
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.keysudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.keyCreate a WireGuard configuration file at /etc/wireguard/wg0.conf.
[Interface]
PrivateKey = <peer-private-key>
Address = 10.8.0.2/24
DNS = 10.19.90.5
[Peer]
PublicKey = <servers-public-key>
AllowedIPs = 10.8.0.0/24
Endpoint = <server-ip-or-hostname>:51820Copy the contents of the peer's public key.
sudo cat /etc/wireguard/public.keyThen from the WireGuard server, run the following.
sudo wg set wg0 peer <peers-public-key> allowed-ips 10.8.0.2Restart the WireGuard service if running, and then check the peer has been added, either by cat /etc/wireguard/wg0.conf or wg show.
On the peer, you can bring the WireGuard tunnel up, by running wg-quick.
wg-quick up wg0To bring the tunnel down, run the below.
wg-quick down wg0