Support #976
Updated by Daniel Curtis over 1 year ago
This is a guide on installing a WireGuard server with IPv4 only on Debian 11.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
sudo apt update && sudo apt upgrade
</pre>
h2. Install WireGuard
* Install WireGuard:
<pre>
sudo apt install wireguard
</pre>
h3. Setup Key Pair
* Create the private key and restrict permission to it:
<pre>
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
</pre>
* Create a public key:
<pre>
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
</pre>
h3. Create Configuration
* Create a new config:
<pre>
sudo nano /etc/wireguard/wg0.conf
</pre>
#* And add the following
<pre>
[Interface]
PrivateKey = base64_encoded_private_key_goes_here
Address = 172.16.0.1/24
ListenPort = 51820
SaveConfig = true
</pre>
h3. Enable IPv4 Forwarding
* Enable forwading:
<pre>
sudo nano /etc/sysctl.d/99-sysctl.conf
</pre>
#* And uncomment the following line:
<pre>
net.ipv4.ip_forward=1
</pre>
* Reload the sysctl values:
<pre>
sudo sysctl -p
</pre>
h3. Configure Firewall
* Find the public network interface:
<pre>
ip route list default
</pre>
*NOTE*: The public interface is the string found within this command’s output that follows the word “dev”, in this case +enp0s3+
* Edit the wireguard config:
<pre>
sudo nano /etc/wireguard/wg0.conf
</pre>
#* After the @SaveConfig = true@ line, add the following lines:
<pre>
PostUp = ufw route allow in on wg0 out on enp0s3
PostUp = iptables -t nat -I POSTROUTING -o enp0s3 -j MASQUERADE
PreDown = ufw route delete allow in on wg0 out on enp0s3
PreDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE
</pre>
* Add wireguard firewall rule:
<pre>
sudo ufw allow 51820/udp
</pre>
* Start and enable wireguard:
<pre>
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
</pre>
h2. Resources
* https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11