WireGuard on Debian 11 / Unstable branch
We will use Debian 11 or Unstable branch as example.
Installation step
echo "deb http://cdn-fastly.deb.debian.org/debian/ unstable main contrib non-free" > /etc/apt/sources.list
apt update
apt install linux-image-5.14.0-1-amd64 linux-headers-amd64 linux-headers-5.14.0-1-common
apt install wireguard
## Debian 11
apt install linux-headers-amd64 linux-headers-5.10.0-15-amd64 linux-headers-5.10.0-15-commonRecommended way to generate secure Wireguard VPN configuration
Here: https://www.wireguardconfig.com
Old school way to generate the public and private key
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null)
wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickeyEdit the wg0.conf file
## Vultr server has to change eth0 into ens3
# Edit wg0.conf
nano /etc/wireguard/wg0.conf
[Interface]
PrivateKey = YOUR_PRIVATE_KEY
ListenPort = 1723 # UDP
Address = 10.8.3.1/32, fd42:42:44::1/64
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
#SaveConfig = true
## Generate from Android or other device
PublicKey = PUBLIC_KEY_ON_ANDROID
AllowedIPs = xxxx Save and fire it up!
wg-quick down wg0
wg-quick up wg0Make it auto start on boot
systemctl enable wg-quick@wg0Enable port forwarding
nano /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
//Save
sysctl -p Client config
[Interface]
PrivateKey = Troubleshooting
Reinstall Wireguard
// If you need reinstall
apt remove wireguard-dkms wireguard-tools wireguard
apt --fix-broken install && apt install wireguard If you using Google cloud with one-key Wireguard setup, and facing following error
$ ip link add dev wg0 type wireguard
RNETLINK answers: Operation not supported Solution
// Get latest linux-header
apt-get install libmnl-dev libelf-dev linux-headers-$(uname -r) build-essential pkg-config
// install wiregurad-tools again
apt-get install wireguard-dkms wireguard-tools
// Done
Credit: https://askubuntu.com/questions/973297/rnetlink-answers-operation-not-supported-fresh-ubuntu-fresh-wireguardSample wg0.conf
[Interface]
PrivateKey =
#Publickey =
ListenPort = 1723
Address = 10.8.3.1/24, fd42:42:44::1/64
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o ens3 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
[Peer]
# Mbpr 15 coolbitx
PublicKey = A6RfZTadqUZEsJXq+tg6H2NeaxB5FmzcVhVwJ/uoUUw=
AllowedIPs = 10.8.3.10/32, fd42:42:44::10/128
[Peer]
#Mbpr 15 personal
PublicKey = kyekTDeE0s3Xm/uB3XHQTjGWxPvuBrc97vTSm05ngXE=
AllowedIPs = 10.8.3.11/32, fd42:42:44::11/128
[Peer]
# Iphone se
PublicKey = wMfGWgZlJ2RnOqy49Ho5iYFz3W+N2L19aD1MuwjOyDQ=
AllowedIPs = 10.8.3.12/32, fd42:42:44::12/128
[Peer]
# Iphone 11
PublicKey = ppyQ2za4zi8nFQyb3M+6MRwUee50tVweGBVaygCUe1o=
AllowedIPs = 10.8.3.13/32, fd42:42:44::13/128
[Peer]
# Oneplus
PublicKey = 0UTsdJqCxxL429tzWZnuyFjmlrpcR1sud7pAMys6HFc=
AllowedIPs = 10.8.3.14/32, fd42:42:44::14/128
[Peer]
# Ipad
PublicKey = WemttxN/Lt/260DOZAB3OC7Pfbea/UmBqfVeAnJa7BI=
AllowedIPs = 10.8.3.15/32, fd42:42:44::15/128
[Peer]
# Asus
PublicKey = GjajCWaFagQTwL9xLnB1b3S3I2xi7W0ZxtsxL4Cjk2E=
AllowedIPs = 10.8.3.16/32, fd42:42:44::16/128
[Peer]
#
PublicKey = j5thMmwrl9FE/BqjJr0I8x4UYJxxWPsHw06Y3J+qigQ=
AllowedIPs = 10.8.3.17/32, fd42:42:44::17/128Photo by Matteo Catanese on Unsplash