Project

General

Profile

Support #976

Install WireGuard Server on Debian

Added by Daniel Curtis over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Server
Target version:
Start date:
04/10/2023
Due date:
% Done:

100%

Estimated time:
1.00 h
Spent time:

Description

This is a guide on installing a WireGuard server with IPv4 only on Debian 11. This guide will be using nftables, since that is the default firewall on Debian.

Prepare the Environment

  • Make sure the system is up to date:
    sudo apt update && sudo apt upgrade
    

Install WireGuard

  • Install WireGuard:
    sudo apt install wireguard
    

Setup Key Pair

  • Create the private key and restrict permission to it:
    wg genkey | sudo tee /etc/wireguard/private.key
    sudo chmod go= /etc/wireguard/private.key
    
  • Create a public key:
    sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
    

Create Configuration

  • Create a new config:
    sudo nano /etc/wireguard/wg0.conf
    
    • And add the following
      [Interface]
      PrivateKey = base64_encoded_private_key_goes_here
      Address = 172.16.0.1/24
      ListenPort = 51820
      SaveConfig = true
      

Enable IPv4 Forwarding

  • Enable forwading:
    sudo nano /etc/sysctl.d/99-sysctl.conf
    
    • And uncomment the following line:
      net.ipv4.ip_forward=1
      
  • Reload the sysctl values:
    sudo sysctl -p
    

Configure Firewall

  • Find the public network interface:
    ip route list default
    

    NOTE: The public interface is the string found within this command’s output that follows the word “dev”, in this case enp0s3
  • Edit the nftables config:
    sudo nano /etc/nftables.conf
    
    • And add/edit the following:
      #!/usr/sbin/nft -f
      
      flush ruleset
      
      # `inet` applies to both IPv4 and IPv6.
      table inet filter {
          chain input {
              type filter hook input priority 0;
      
              # accept any localhost traffic
              iif lo accept
      
              # accept traffic originated from us
              ct state established,related accept
      
              # ssh
              tcp dport 22 accept
      
          # wireguard
          udp dport 51820 accept
      
          # (Optional) Allow VPN clients to communicate with each other
          # iifname wg0 oifname wg0 ct state new accept
      
              # count and drop any other traffic
              counter drop
          }
      
          chain output {
              type filter hook output priority 0;
              policy accept;
          }
      
          chain forward {
              type filter hook forward priority 0;
      
          # Drop invalid packets.
          ct state invalid drop
      
          # Forward all established and related traffic.
          ct state established,related accept
      
          # Forward wireguard traffic from enp0s3
          iifname wg0 oifname enp0s3 ct state new accept
      
          # (Optional) Forward wireguard traffic from wg0
          #iifname wg0 oifname wg0 ct state new accept
      
              policy drop;
          }
      }
      
      table ip router {
          chain prerouting {
              type nat hook prerouting priority 0;
          }
      
          chain postrouting {
              type nat hook postrouting priority 100;
      
              # masquerade wireguard traffic as server IP address
              oifname enp0s3 ip saddr 172.16.0.0/24 masquerade
          }
      }
      
  • Start and enable wireguard, as well as restart nftables:
    sudo systemctl restart nftables
    sudo systemctl enable wg-quick@wg0
    sudo systemctl start wg-quick@wg0
    

Resources

Also available in: Atom PDF