2021/08/13
Make sure to check the ‘Notes’ section.
1. Enable Debian 10 backport repository.
sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"2. Update apt repository info
apt update1. Use apt to install.
apt install wireguard1. Navigate to the WG directory. /etc/wireguard/
cd /etc/wireguard/2. Create a private/public key pair for the WireGuard server.
umask 077; wg genkey | tee privatekey | wg pubkey > publickeyThe latter will
umask 077 - set file creation permissions to User,Read/Write only.wg genkey - Uses the WG utility to create a private key.| tee privatekey | - Passes the private key output to a file named privatekey and the next command in line.wg pubkey > publickey - Uses the private key to generate a public key then writes the public key to a file named publickey.You can see both of the new keys using cat.
cat privatekey publickey3. Create a new config file for the WG server.
vim /etc/wireguard/wg0.confUse this config - modify as you see fit.
[Use the private key we generated earlier] (also, make sure to remove my comments in the config file)
[Interface]
Address = 192.168.10.1/30 <--- VPN server tunnel IP address
ListenPort = 51194 <--- Port that the server will listen on
PrivateKey = *********** <--- The private key of this server - the one we generated earlier
SaveConfig = true
[Peer]
PublicKey = <--- The public key of the client (will be generated later)
AllowedIPs = 192.168.10.2/32 <--- list of IP address that should be allowed to traverse the VPN tunnel to this serverOpen port 51194/udp so the WG server can listen for incoming connections.
ufw allow 51194/udpEnable and start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0You should see the wg0 interface with your specified IP address.
ip address show wg0Debian 10
1. Enable Debian 10 backport repository.
sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list"2. Update apt repository info
apt update1. Use apt to install.
apt install wireguard1. Create the client config. /etc/wireguard/wg0.conf
sh -c 'umask 077; touch /etc/wireguard/wg0.conf'2. Move into /etc/wireguard/ and generate a private/public key pair like we did earlier.
cd /etc/wireguard/
umask 077; wg genkey | tee privatekey | wg pubkey > publickey
cat privatekey3. Open the config file for editing.
vim /etc/wireguard/wg0.confUse this config. (make sure to remove my comments in the config file)
[Interface]
PrivateKey = ***************** <--- This client's private key
Address = 192.168.10.2/30 <--- VPN client tunnel IP address
[Peer]
PublicKey = ******************** <--- The server's public key
AllowedIPs = 192.168.10.1/32 <--- list of IP address that should be allowed to traverse the VPN tunnel to this client
Endpoint = x.x.x.x:51194 <--- The "Endpoint" is the VPN server, so whatever the public IP of your server is + the port that it's listening on
PersistentKeepalive = 20Enable and start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
systemctl status wg-quick@wg0You should see the wg0 interface with your specified IP address.
ip address show wg0Finish the server config
Now that the client is setup, we need to place the client's public key in the server's config file.
Open the server's /etc/wireguard/wg0.conf config file.
vim /etc/wireguard/wg0.confPlace the client's public key under the [Peer] section.
...
[Peer]
PublicKey = ******************************
...To be very clear (because it can be bit much to wrap your head around when looking at all these steps), the private key of each respective machine stays in it's own config file, it does not get pasted to any other machine's config.
The public key of the server is to be shared with every client that will connect to the server. The public key of every individual client is to be shared with the server config only.
When modifying the conf file(s) on the server/client you must stop the WireGuard service for the instance that you are going to edit. If you edit the config file while the service is running then restart the service, the config file will revert back to it's previous state.
systemctl stop wg-quick@wg0.serviceWhen you've made your change(s), start the service again.
systemctl start wg-quick@wg0.service