Project

General

Profile

Support #977

Updated by Daniel Curtis about 1 year ago

This is a guide on installing a WireGuard IPv4 only peer on Debian 11. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 sudo apt update && sudo apt upgrade 
 </pre> 

 h2. Install WireGuard 

 * Install WireGuard: 
 <pre> 
 sudo apt install wireguard iptables 
 </pre> 

 h3. Setup Key Pair 

 * Create the private key and restrict permission to it: 
 <pre> 
 wg genkey | sudo tee /etc/wireguard/private.key 
 sudo chmod go= /etc/wireguard/private.key 
 </pre> 

 * Create a public key: 
 <pre> 
 sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key 
 </pre> 

 h3. Create Configuration 

 * Create a new config: 
 <pre> 
 sudo nano /etc/wireguard/wg0.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [Interface] 
 PrivateKey = base64_encoded_peer_private_key_goes_here 
 Address = 172.16.0.2/24 

 [Peer] 
 PublicKey = U9uE2kb/nrrzsEU58GD3pKFU3TLYDMCbetIsnV8eeFE= 
 AllowedIPs = 0.0.0.0/0 172.16.0.0/24 
 Endpoint = 203.0.113.1:51820 
 </pre> 

 h3. Configure Peer to Route All Traffic Over the Tunnel 

 * Edit the wireguard config: 
 <pre> 
 sudo nano /etc/wireguard/wg0.conf 
 </pre> 
 #*Before the @[Peer]@ line, add the following 4 lines: 
 <pre> 
 PostUp = ip rule add table 200 from 203.0.113.5 
 PostUp = ip route add table 200 default via 203.0.113.1 
 PreDown = ip rule delete table 200 from 203.0.113.5 
 PreDown = ip route delete table 200 default via 203.0.113.1 
 </pre> 
 *NOTE*: in this example 203.0.113.1 is the server and 203.0.113.5 is the peer (client). 

 h3. Configure Peer DNS Resolver 

 * Install resolvconf: 
 <pre> 
 sudo apt install resolvconf 
 </pre> 

 * Edit the wireguard config: 
 <pre> 
 sudo nano /etc/wireguard/wg0.conf 
 </pre> 

 h3. Add Peer Public Key to the WireGuard Server 

 * Get the public key from the peer: 
 <pre> 
 sudo cat /etc/wireguard/public.key 
 </pre> 

 * Next, from the wireguard server, add the peer's public key: 
 <pre> 
 sudo wg set wg0 peer PeURxj4Q75RaVhBKkRTpNsBPiPSGb5oQijgJsTa29hg= allowed-ips 172.16.0.2 
 </pre> 

 * Start and enable wireguard: 
 <pre> 
 sudo systemctl enable wg-quick@wg0 
 sudo systemctl start wg-quick@wg0 
 </pre> 

 h2. Resources 

 * https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11

Back