This post has been updated to accommodate changes and feature updates in WireGuard and Debian OS.
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPSec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances.
Below tutorial is based on Debian Operating System but most of it will work on other *nix OS also. So without wasting anymore time, let's GetStarted !
Use the below commands to install WireGuard on a Debian OS. For any other OS please check here:
sudo sh -c "echo 'deb http://deb.debian.org/debian buster-backports main contrib non-free' > /etc/apt/sources.list.d/buster-backports.list" sudo apt update sudo apt install wireguard
cd /etc/wireguard/ and create a Public and Private Key pair
(umask 077 && printf "[Interface]\nPrivateKey = " | sudo tee /etc/wireguard/wg0.conf > /dev/null) wg genkey | sudo tee -a /etc/wireguard/wg0.conf | wg pubkey | sudo tee /etc/wireguard/publickey
Modify the configuration file:
And add the below text:
PrivateKey = YOUR_PRIVATE_KEY ListenPort = 5555 SaveConfig = false Address = 10.0.0.1/24 PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat –A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
WireGuard server configuration is complete for now.
wg-quick up wg0
Check WireGuard status:
Configuring WireGuard VPN on Windows PC:
Follow the below steps to configure Windows client to access WireGuard VPN.
- Download and Install WireGuard Client file from here.
- Open the WireGuard Tunnel Management window.
- At the bottom left, click on the arrow next the "Add Tunnel" button and select Add empty tunnel or press Ctrl+N.
- The new connection will automatically generate a Public and Private key pair.
- Give a name to the connection
- Add the below values in the dialog box below the Private Key.
[Interface] PrivateKey = [Private Key of the Client automatically generated] Address = 10.0.0.3/24 DNS = 184.108.40.206
Add the Peer Information below the interface
[Peer] PublicKey = [Public Key of the WireGuard Server] AllowedIPs = 0.0.0.0/0 Endpoint = [Public IP of the WireGuard Server]:5555
Configuring WireGuard VPN on Android device:
Follow the below steps to configure Android client to access your WireGuard VPN.
- Download and Install WireGuard app from Google Play Store
- Click the + button
- Select "Create from scratch"
- Give a name (without using any special character)
- Click "GENERATE" beside "Private key", to generate the private-key and the public-key
- Fill in "
10.0.0.2/32" for "Addresses"
- Fill in "
220.127.116.11,18.104.22.168" or "
22.214.171.124,126.96.36.199", etc for "DNS servers"
Add the server information:
- Click "ADD PEER"
- Fill in the
- Fill in "
0.0.0.0/0" for "Allowed IPs"
- Fill in the Server IP or domain-name with port-number for "Endpoint"
(e.g.12:34:56:78:5555 or mydomain.com:5555)
Finishing the setup on Server
Modify the WireGuard configuration file to add the peer details.
Add the below text:
[Peer] PublicKey = [PublicKey_created_in_the_app_during_setup] AllowedIPs = 10.0.0.2/32 [Peer] PublicKey = [PublicKey_created_in_the_windows_setup] AllowedIPs = 10.0.0.3/32
Save and exit.
Restart WireGuard for the changes to take place
wg-quick down wg0
wg-quick up wg0
To start WireGuard automatically on system startup
systemctl enable wg-quick@wg0
Enable Packet Forwarding to access internet through WireGuard VPN
Search and set
net.ipv4.ip_forward = 1 and
net.ipv6.conf.all.forwarding = 1
Apply the changes:
sysctl -p . You can also use the following command
sysctl -w net.ipv4.ip_forward=1 and
sysctl -w net.ipv6.conf.all.forwarding=1
If you have installed UFW on the server, there are a few more things which need to be configured to complete the VPN Setup
1. If you needed UFW to NAT the connections from the external interface to the internal the solution is pretty straight forward. In the file /etc/default/ufw change the parameter DEFAULT_FORWARD_POLICY
2. Also configure /etc/ufw/sysctl.conf to allow ipv4 forwarding (the parameters is commented out by default). Uncomment for ipv6 if you want.
net.ipv4.ip_forward=1 #net/ipv6/conf/default/forwarding=1 #net/ipv6/conf/all/forwarding=1
3. The final step is to add NAT to ufw’s configuration. Add the following to /etc/ufw/before.rules just before the filter rules.
# NAT table rules *nat :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT
4. Additionally, you will need to update the wg0.conf to look like this:
PrivateKey = YOUR_PRIVATE_KEY ListenPort = 5555 SaveConfig = false Address = 10.0.0.1/24 PostUp = ufw allow in on wg0 to any PostDown = ufw deny in on wg0 to any
sudo ufw disable && sudo ufw enable
Thats All folks !
You have successfully completed the WireGuard VPN installation.
Update: I have also created a script to automate the task of setting up WireGuard.
You can check the script here