Wireguard on Debian 11 – quick howto

Linux VPN Wireguard
by admin : Linux, VPN, Wireguard

Create the local configuration:

Host parameters:

Remote host (peer) public IP: 1.2.3.4
Local host public IP: 6.7.8.9
Address of (local) Wireguard interface (wg0): 10.10.10.1/32
Wireguard listen port: 51820
Local private key: xxxx
Local public key: yyyy
Remote public key: zzzz
Remote network address: 10.0.0.0/24
Local network address: 192.168.1.0/24

Create the private key:

wg genkey | tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Create the corresponding public key:

cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key

Create the config file (/etc/wireguard/wg0.conf) with the following content:

[Interface]
Address = 10.10.10.1/32
SaveConfig = true
PostUp = ip rule add table 200 from 6.7.8.9
PostUp = ip route add table 200 default via 6.7.8.9
PreDown = ip rule delete table 200 from 6.7.8.9
PreDown = ip route delete table 200 default via 6.7.8.9
ListenPort = 51820
PrivateKey = xxxx
SaveConfig = true

[Peer]
PublicKey = zzzz
AllowedIPs = 10.0.0.0/24
Endpoint = 1.2.3.4:51820

Add firewall rules to the config file [/etc/nftables.conf] (these can be created on the fly as well, but I prefer a static firewall config).

Forward chain:

iifname "wg0" ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept
oifname "wg0" ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept

postrouting chain

ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept
ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept

Create the peer configuration:

Remote host (peer) parameters.
Remote host (peer) public IP: 6.7.8.9
Local host public IP: 1.2.3.4
Address of (local) Wireguard interface (wg0): 10.10.10.1/32
Wireguard listen port: 51820
Local private key: jklm (see key generation above)
Local public key: defg (see key generation above)
Remote public key: yyyy
Remote network address: 192.168.1.0/24
Local network address: 10.0.0.0/24

Create the private key:

wg genkey | tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Create the corresponding public key:

cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key

Create the Wireguard config file (/etc/wg0.conf) on the remote host.

[Interface]
Address = 10.10.10.2/32
SaveConfig = true
PostUp = ip rule add table 200 from 1.2.3.4
PostUp = ip route add table 200 default via 1.2.3.4
PreDown = ip rule delete table 200 from 1.2.3.4
PreDown = ip route delete table 200 default via 1.2.3.4
ListenPort = 51820
PrivateKey = jklm
SaveConfig = true

[Peer]
PublicKey = yyyy
AllowedIPs = 10.0.0.0/24
Endpoint = 6.7.8.9:51820

Add firewall rules to the config file [/etc/nftables.conf] (these can be created on the fly as well, but I prefer a static firewall config).

Forward chain:

iifname "wg0" ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept
oifname "wg0" ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept

postrouting chain

ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept
ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept

Final steps:

Start the Wireguard service:

systemctl start wg-quick@wg0.service

Check the status:

systemctl status wg-quick@wg0.service

Enable the service at boot:

systemctl enable wg-quick@wg0.service

Ping from both ends to ensure connectivity.

See this Digital Ocean link for further information on how to add ipv6 and a more in depth explanation.