GTKC Knowledgebase
A little bit of wisdom
Home | Wireguard on Debian 11 - quick howto
Wireguard on Debian 11 - quick howto
Posted by  Admin on 2024-02-06 17:36:44:


Create the local configuration:
Host parameters:
Remote host (peer) public IP: 1.2.3.4
Local host public IP: 6.7.8.9
Address of (local) Wireguard interface (wg0): 10.10.10.1/32
Wireguard listen port: 51820
Local private key: xxxx
Local public key: yyyy
Remote public key: zzzz
Remote network address: 10.0.0.0/24
Local network address: 192.168.1.0/24

Create the private key:
wg genkey | tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Create the corresponding public key:
cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key

Create the config file (/etc/wireguard/wg0.conf) with the following content:
[Interface]
Address = 10.10.10.1/32
SaveConfig = true
PostUp = ip rtablee add table 200 from 6.7.8.9
PostUp = ip route add table 200 default via 6.7.8.9
PreDown = ip rtablee delete table 200 from 6.7.8.9
PreDown = ip route delete table 200 default via 6.7.8.9
ListenPort = 51820
PrivateKey = xxxx
SaveConfig = true
[Peer]
PublicKey = zzzz
AllowedIPs = 10.0.0.0/24
Endpoint = 1.2.3.4:51820

Add firewall rtablees to the config file [/etc/nftables.conf] (these can be created on the fly as well, but I prefer a static firewall config).
Forward chain:
iifname "wg0" ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept
oifname "wg0" ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept

postrouting chain
ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept
ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept

Create the peer configuration:
Remote host (peer) parameters.
Remote host (peer) public IP: 6.7.8.9
Local host public IP: 1.2.3.4
Address of (local) Wireguard interface (wg0): 10.10.10.1/32
Wireguard listen port: 51820
Local private key: jklm (see key generation above)
Local public key: defg (see key generation above)
Remote public key: yyyy
Remote network address: 192.168.1.0/24
Local network address: 10.0.0.0/24

Create the private key:
wg genkey | tee /etc/wireguard/private.key
chmod go= /etc/wireguard/private.key

Create the corresponding public key:
cat /etc/wireguard/private.key | wg pubkey | tee /etc/wireguard/public.key

Create the Wireguard config file (/etc/wg0.conf) on the remote host.
[Interface]
Address = 10.10.10.2/32
SaveConfig = true
PostUp = ip route add table 200 from 1.2.3.4
PostUp = ip route add table 200 default via 1.2.3.4
PreDown = ip route delete table 200 from 1.2.3.4
PreDown = ip route delete table 200 default via 1.2.3.4
ListenPort = 51820
PrivateKey = jklm
SaveConfig = true
[Peer]
PublicKey = yyyy
AllowedIPs = 10.0.0.0/24
Endpoint = 6.7.8.9:51820

Add firewall tables to the config file [/etc/nftables.conf] (these can be created on the fly as well, but I prefer a static firewall config).
Forward chain:
iifname "wg0" ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept
oifname "wg0" ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept

postrouting chain
ip saddr 192.168.1.0/24 ip daddr 10.0.0.0/24 counter packets 0 bytes 0 accept
ip saddr 10.0.0.0/24 ip daddr 192.168.1.0/24 counter packets 0 bytes 0 accept

Final steps:
Start the Wireguard service:
systemctl start wg-quick@wg0.service

Check the status:
systemctl status wg-quick@wg0.service

Enable the service at boot:
systemctl enable wg-quick@wg0.service

Ping from both ends to ensure connectivity.
See this Digital Ocean link for further information on how to add ipv6 and a more in depth explanation.

Tags: Linux , Networking

Return to home page: Home