Support #976
Updated by Daniel Curtis over 1 year ago
This is a guide on installing a WireGuard server with IPv4 only on Debian 11. This guide will be using nftables, since that is the default firewall on Debian. h2. Prepare the Environment * Make sure the system is up to date: <pre> sudo apt update && sudo apt upgrade </pre> h2. Install WireGuard * Install WireGuard: <pre> sudo apt install wireguard </pre> h3. Setup Key Pair * Create the private key and restrict permission to it: <pre> wg genkey | sudo tee /etc/wireguard/private.key sudo chmod go= /etc/wireguard/private.key </pre> * Create a public key: <pre> sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key </pre> h3. Create Configuration * Create a new config: <pre> sudo nano /etc/wireguard/wg0.conf </pre> #* And add the following <pre> [Interface] PrivateKey = base64_encoded_private_key_goes_here Address = 172.16.0.1/24 ListenPort = 51820 SaveConfig = true </pre> h3. Enable IPv4 Forwarding * Enable forwading: <pre> sudo nano /etc/sysctl.d/99-sysctl.conf </pre> #* And uncomment the following line: <pre> net.ipv4.ip_forward=1 </pre> * Reload the sysctl values: <pre> sudo sysctl -p </pre> h3. Configure Firewall * Find the public network interface: <pre> ip route list default </pre> *NOTE*: The public interface is the string found within this command’s output that follows the word “dev”, in this case +enp0s3+ * Edit the nftables config: <pre> sudo nano /etc/nftables.conf </pre> #* And add/edit the following: <pre> #!/usr/sbin/nft -f flush ruleset # `inet` applies to both IPv4 and IPv6. table inet filter { chain input { type filter hook input priority 0; # accept any localhost traffic iif lo accept # accept traffic originated from us ct state established,related accept # ssh tcp dport 22 accept # wireguard udp dport 51820 accept # (Optional) Allow VPN clients to communicate with each other # iifname wg0 oifname wg0 ct state new accept # count and drop any other traffic counter drop } chain output { type filter hook output priority 0; policy accept; } chain forward { type filter hook forward priority 0; # Drop invalid packets. ct state invalid drop # Forward all established and related traffic. ct state established,related accept # Forward wireguard traffic from enp0s3 iifname wg0 oifname enp0s3 ct state new accept # (Optional) Forward wireguard traffic from wg0 #iifname wg0 oifname wg0 ct state new accept policy drop; } } table ip router { chain prerouting { type nat hook prerouting priority 0; } chain postrouting { type nat hook postrouting priority 100; # masquerade wireguard traffic as server IP address oifname enp0s3 ip saddr 172.16.0.0/24 masquerade } } </pre> * Start and enable wireguard, as well as restart nftables: <pre> sudo systemctl restart nftables sudo systemctl enable wg-quick@wg0 sudo systemctl start wg-quick@wg0 </pre> h2. Resources * https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 * https://jwcxz.com/notes/200702-simple-wireguard-vpn/ * https://xdeb.org/post/2019/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/ * https://www.howtoforge.com/how-to-install-wireguard-vpn-on-debian-11/