Support #976
Updated by Daniel Curtis over 1 year ago
This is a guide on installing a WireGuard server with IPv4 only on Debian 11. This guide will be using nftables, since that is the default firewall on Debian. h2. Prepare the Environment * Make sure the system is up to date: <pre> sudo apt update && sudo apt upgrade </pre> h2. Install WireGuard * Install WireGuard: <pre> sudo apt install wireguard </pre> h3. Setup Key Pair * Create the private key and restrict permission to it: <pre> wg genkey | sudo tee /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key </pre> * Create a public key: <pre> sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key </pre> h3. Create Configuration * Create a new config: <pre> sudo nano /etc/wireguard/wg0.conf </pre> #* And add the following <pre> [Interface] PrivateKey = base64_encoded_private_key_goes_here Address = 172.16.0.1/24 ListenPort = 51820 SaveConfig = true </pre> h3. Enable IPv4 Forwarding * Enable forwading: <pre> sudo nano /etc/sysctl.d/99-sysctl.conf </pre> #* And uncomment the following line: <pre> net.ipv4.ip_forward=1 </pre> * Reload the sysctl values: <pre> sudo sysctl -p </pre> h3. Configure Firewall * Find the public network interface: <pre> ip route list default </pre> *NOTE*: The public interface is the string found within this command’s output that follows the word “dev”, in this case +enp0s3+ * Edit the nftables wireguard config: <pre> sudo nano /etc/nftables.conf /etc/wireguard/wg0.conf </pre> #* And add/edit After the following: @SaveConfig = true@ line, add the following lines: <pre> #!/usr/sbin/nft -f PostUp = ufw route allow in on wg0 out on enp0s3 PostUp = iptables -t nat -I POSTROUTING -o enp0s3 -j MASQUERADE flush ruleset # `inet` applies to both IPv4 and IPv6. table inet filter { chain input { type filter hook input priority 0; # accept any localhost traffic iif lo accept # accept traffic originated from us ct state established,related accept # ssh tcp dport 22 accept # wireguard udp dport 51820 accept # (Optional) Allow VPN clients to communicate with each other # iifname PreDown = ufw route delete allow in on wg0 oifname wg0 ct state new accept # count and drop any other traffic counter drop } chain output { type filter hook output priority 0; policy accept; } chain forward { type filter hook forward priority 0; # Drop invalid packets. ct state invalid drop # Forward all established and related traffic. ct state established,related accept # Forward wireguard traffic iifname wg0 oifname eth0 ct state new accept policy drop; } out on enp0s3 } PreDown = iptables -t nat -D POSTROUTING -o enp0s3 -j MASQUERADE </pre> table ip router { chain prerouting { type nat hook prerouting priority 0; } chain postrouting { type nat hook postrouting priority 100; # masquerade * Add wireguard traffic as server IP address oifname eth0 ip saddr 172.16.0.0/24 masquerade } firewall rule: } <pre> sudo ufw allow 51820/udp </pre> * Start and enable wireguard, as well as restart nftables: wireguard: <pre> sudo systemctl restart nftables sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 </pre> h2. Resources * https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 * https://jwcxz.com/notes/200702-simple-wireguard-vpn/ * https://xdeb.org/post/2019/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/ * https://www.howtoforge.com/how-to-install-wireguard-vpn-on-debian-11/