Project

General

Profile

Support #976

Updated by Daniel Curtis over 1 year ago

This is a guide on installing a WireGuard server with IPv4 only on Debian 11. This guide will be using nftables, since that is the default firewall on Debian. 

 h2. Prepare the Environment 

 * Make sure the system is up to date: 
 <pre> 
 sudo apt update && sudo apt upgrade 
 </pre> 

 h2. Install WireGuard 

 * Install WireGuard: 
 <pre> 
 sudo apt install wireguard 
 </pre> 

 h3. Setup Key Pair 

 * Create the private key and restrict permission to it: 
 <pre> 
 wg genkey | sudo tee /etc/wireguard/private.key 
 sudo chmod go= /etc/wireguard/private.key 
 </pre> 

 * Create a public key: 
 <pre> 
 sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key 
 </pre> 

 h3. Create Configuration 

 * Create a new config: 
 <pre> 
 sudo nano /etc/wireguard/wg0.conf 
 </pre> 
 #* And add the following 
 <pre> 
 [Interface] 
 PrivateKey = base64_encoded_private_key_goes_here 
 Address = 172.16.0.1/24 
 ListenPort = 51820 
 SaveConfig = true 
 </pre> 

 h3. Enable IPv4 Forwarding 

 * Enable forwading: 
 <pre> 
 sudo nano /etc/sysctl.d/99-sysctl.conf 
 </pre> 
 #* And uncomment the following line: 
 <pre> 
 net.ipv4.ip_forward=1 
 </pre> 

 * Reload the sysctl values: 
 <pre> 
 sudo sysctl -p 
 </pre> 

 h3. Configure Firewall 

 * Find the public network interface: 
 <pre> 
 ip route list default 
 </pre> 
 *NOTE*: The public interface is the string found within this command’s output that follows the word “dev”, in this case +enp0s3+ 

 * Edit the nftables config: 
 <pre> 
 sudo nano /etc/nftables.conf 
 </pre> 
 #* And add/edit the following: 
 <pre> 
 #!/usr/sbin/nft -f 

 flush ruleset 

 # `inet` applies to both IPv4 and IPv6. 
 table inet filter { 
     chain input { 
         type filter hook input priority 0; 

         # accept any localhost traffic 
         iif lo accept 

         # accept traffic originated from us 
         ct state established,related accept 

         # ssh 
         tcp dport 22 accept 

	 # wireguard 
	 udp dport 51820 accept 

	 # (Optional) Allow VPN clients to communicate with each other 
	 # iifname wg0 oifname wg0 ct state new accept 

         # count and drop any other traffic 
         counter drop 
     } 

     chain output { 
         type filter hook output priority 0; 
         policy accept; 
     } 

     chain forward { 
         type filter hook forward priority 0; 

	 # Drop invalid packets. 
	 ct state invalid drop 

	 # Forward all established and related traffic. 
	 ct state established,related accept 

	 # Forward wireguard traffic from enp0s3 
	 iifname wg0 oifname enp0s3 ct state new accept 

	 # (Optional) Forward wireguard traffic from wg0 
	 #iifname wg0 oifname wg0 ct state new accept 

         policy drop; 
     } 
 } 

 table ip router { 
     chain prerouting { 
         type nat hook prerouting priority 0; 
     } 

     chain postrouting { 
         type nat hook postrouting priority 100; 

         # masquerade wireguard traffic as server IP address 
         oifname enp0s3 ip saddr 172.16.0.0/24 masquerade 
     } 
 } 
 </pre> 

 * Start and enable wireguard, as well as restart nftables: 
 <pre> 
 sudo systemctl restart nftables 
 sudo systemctl enable wg-quick@wg0 
 sudo systemctl start wg-quick@wg0 
 </pre> 

 h2. Resources 

 * https://www.digitalocean.com/community/tutorials/how-to-set-up-wireguard-on-debian-11 
 * https://jwcxz.com/notes/200702-simple-wireguard-vpn/ 
 * https://xdeb.org/post/2019/setting-up-a-server-firewall-with-nftables-that-support-wireguard-vpn/ 
 * https://www.howtoforge.com/how-to-install-wireguard-vpn-on-debian-11/

Back