Debian 13 trixie
Sponsored Link

WireGuard : Configure Server2025/10/08
 

Install WireGuard which is the simple yet fast and modern VPN software.

This example is based on the environment like follows.

First, it needs to configure IP masquerade setting on your router that UDP packets to global IP address of WireGuard server from WireGuard client via internet are forwared to local IP address of WireGuard server. 

  +------------------------+
  | [  WireGuard Server  ] |172.16.100.1 (VPN IP)
  |      dlp.srv.world     +--------+
  |                        |wg0     |
  +-----------+------------+        |
        enp1s0|10.0.0.30/24         |
              |                     |
              |       Local Network |
       +------+-----+               |
-------|  Router#1  |---------------|-----
       +------+-----+               |
              |                     |
    Internet  |  Internet           |
              |                     |
       +------+-----+               |
-------|  Router#2  |---------------|-----
       +------+-----+               |
              |       Local Network |
              |                     |
        enp1s0|192.168.10.30/24     |
  +-----------+------------+        |
  |  [ WireGuard Client ]  |wg0     |
  |                        +--------+
  |                        |172.16.100.5 (VPN IP)
  +------------------------+
[1] Install WireGuard.
root@dlp:~#
apt -y install wireguard-tools iptables
[2] Configure WireGuard.
root@dlp:~#
umask 077
# generate private key for server

root@dlp:~#
wg genkey | tee /etc/wireguard/server.key

uINJ26PUVJNOunLyu9iKWEL4EVAl1o3Z3oJZHKTsj1M=
# generate public key for server

root@dlp:~#
cat /etc/wireguard/server.key | wg pubkey | tee /etc/wireguard/server.pub

RRhaAmGldFsEWlsKT0WPIat49kN4VwJdp9WiKLR/khE=
# generate private key for client

root@dlp:~#
wg genkey | tee /etc/wireguard/client.key

SIKcFP7LzqrHF91aM2T1NX4FSfQQ6YlEKjGffg1McHk=
# generate public key for client

root@dlp:~#
cat /etc/wireguard/client.key | wg pubkey | tee /etc/wireguard/client.pub

tNzTuWizlyJHir7jJR/IQnSYqnSMJ3TTu4WZqTpzjDI=
# confirm network interface

root@dlp:~#
ip address show 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ad:4e:fb brd ff:ff:ff:ff:ff:ff
    altname enx525400ad4efb
    inet 10.0.0.30/24 brd 10.0.0.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fead:4efb/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
# create a new config
# [wg0.conf] ⇒ [(VPN interface name).conf]
# VPN interface name ⇒ any name you like

root@dlp:~#
vi /etc/wireguard/wg0.conf 
[Interface]
# specify generated private key for server
PrivateKey = uINJ26PUVJNOunLyu9iKWEL4EVAl1o3Z3oJZHKTsj1M=
# IP address for VPN interface
Address = 172.16.100.1
# UDP port WireGuard server listens
ListenPort = 51820

# possible to set any commands after WireGuard starts/stops
# set routing rules like follows to access to local network via VPN session
# [wg0] ⇒ VPN interface name
# [enp1s0] ⇒ Ethernet interface name
PostUp = echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o enp1s0 -j MASQUERADE
PostDown = echo 0 > /proc/sys/net/ipv4/ip_forward; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o enp1s0 -j MASQUERADE

[Peer]
# specify public key for client
PublicKey = tNzTuWizlyJHir7jJR/IQnSYqnSMJ3TTu4WZqTpzjDI=
# clients' VPN IP addresses you allow to connect
# possible to specify subnet ⇒ [172.16.100.0/24]
AllowedIPs = 172.16.100.5, 172.16.100.6
# [wg-quick@wg0] ⇒ [wg-quick@(VPN interface name)]

root@dlp:~#
systemctl start wg-quick@wg0
root@dlp:~#
ip address show 

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 52:54:00:ad:4e:fb brd ff:ff:ff:ff:ff:ff
    altname enx525400ad4efb
    inet 10.0.0.30/24 brd 10.0.0.255 scope global enp1s0
       valid_lft forever preferred_lft forever
    inet6 fe80::5054:ff:fead:4efb/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 172.16.100.1/32 scope global wg0
       valid_lft forever preferred_lft forever
Matched Content