Support #976
Updated by Daniel Curtis over 2 years ago
This is a guide on installing a WireGuard server with IPv4 only on Debian 11. This guide will be using nftables, since that is the default firewall on Debian.
h2. Prepare the Environment
* Make sure the system is up to date:
<pre>
sudo apt update && sudo apt upgrade
</pre>
h2. Install WireGuard
* Install WireGuard:
<pre>
sudo apt install wireguard
</pre>
h3. Setup Key Pair
* Create the private key and restrict permission to it:
<pre>
wg genkey | sudo tee /etc/wireguard/private.key
sudo chmod go= /etc/wireguard/private.key
</pre>
* Create a public key:
<pre>
sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
</pre>
h3. Create Configuration
* Create a new config:
<pre>
sudo nano /etc/wireguard/wg0.conf
</pre>
#* And add the following
<pre>
[Interface]
PrivateKey = base64_encoded_private_key_goes_here
Address = 172.16.0.1/24
ListenPort = 51820
SaveConfig = true
</pre>
h3. Enable IPv4 Forwarding
* Enable forwading:
<pre>
sudo nano /etc/sysctl.d/99-sysctl.conf
</pre>
#* And uncomment the following line:
<pre>
net.ipv4.ip_forward=1
</pre>
* Reload the sysctl values:
<pre>
sudo sysctl -p
</pre>
h3. Configure Firewall
* Find the public network interface:
<pre>
ip route list default
</pre>
*NOTE*: The public interface is the string found within this command’s output that follows the word “dev”, in this case +enp0s3+
* Edit the nftables config:
<pre>
sudo nano /etc/nftables.conf
</pre>
#* And add/edit the following:
<pre>
#!/usr/sbin/nft -f
flush ruleset
# `inet` applies to both IPv4 and IPv6.
table inet filter {
chain input {
type filter hook input priority 0;
# accept any localhost traffic
iif lo accept
# accept traffic originated from us
ct state established,related accept
# ssh
tcp dport 22 accept
# wireguard
udp dport 51820 accept
# (Optional) Allow VPN clients to communicate with each other
# iifname wg0 oifname wg0 ct state new accept
# count and drop any other traffic
counter drop
}
chain output {
type filter hook output priority 0;
policy accept;
}
chain forward {
type filter hook forward priority 0;
# Drop invalid packets.
ct state invalid drop
# Forward all established and related traffic.
ct state established,related accept
# Forward wireguard traffic from enp0s3
iifname wg0 oifname enp0s3 ct state new accept
# (Optional) Forward wireguard traffic from wg0
#iifname wg0 oifname wg0 ct state new accept
policy drop;
}
}
table ip router {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
# masquerade wireguard traffic as server IP address
oifname enp0s3 ip saddr 172.16.0.0/24 masquerade
}
}
</pre>
* Start and enable wireguard, as well as restart nftables:
<pre>
sudo systemctl restart nftables
sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
</pre>
h2. Resources
* https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11
* https://jwcxz.com/notes/200702-simple-wireguard-vpn/
* https://xdeb.org/post/2019/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/
* https://www.howtoforge.com/how-to-install-wireguard-vpn-on-debian-11/