[https:www.wireguard.com/ WireGuard] is an open source VPN protocol. ''It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.''
Installation on Debian 9+ =
If you do not use Debian 9+, follow guides on [https:www.wireguard.com/install/ Wireguard’s install page].
Run these commands with root user:
<pre>
echo "deb http://deb.debian.org/debian/ unstable main" > /etc/apt/sources.list.d/unstable.list
printf 'Package: *nPin: release a=unstablenPin-Priority: 90n' > /etc/apt/preferences.d/limit-unstable
apt update
apt install linux-headers-$(uname -r) wireguard
</pre>
Or run these commands on your normal user:
<pre>
echo "deb http://deb.debian.org/debian/ unstable main" | sudo tee /etc/apt/sources.list.d/unstable.list
printf 'Package: *nPin: release a=unstablenPin-Priority: 90n' | sudo tee /etc/apt/preferences.d/limit-unstable
sudo apt update
sudo apt install linux-headers-$(uname -r) wireguard
</pre>
Generate keys =
<code>umask 077; wg genkey | tee privatekey | wg pubkey > publickey</code>
Configuration =
Client ==
<code>/etc/wireguard/wg0.conf</code>
<pre>
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
#DNS = 10.x.x.x, 10.x.x.x # optional, would recommend only if you set AllowedIPs to 0.0.0.0/0
[Peer]
PublicKey = Server_Public_Key
AllowedIPs = 0.0.0.0/0 # or subnets you want to allow
Endpoint = ip:51820
# PersistentKeepalive = 25 # optional
</pre>
Server ==
<pre>
[Interface]
PrivateKey = PRIVATE_KEY
Address = 10.x.x.x/x
ListenPort = 51820
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o PUBLIC_INTERFACE -j MASQUERADE
[Peer]
PublicKey = Client_Public_key
AllowedIPs = 10.x.x.x/32
</pre>
Replace <code>PUBLIC_INTERFACE</code> with your interface, such as <code>eth0</code>.
Enable IPv4 packet forwarding =
In <code>/etc/sysctl.d/99-sysctl.conf</code>, uncomment line <code>#net.ipv4.ip_forward=1</code>.
To apply, reboot or run <code>sudo sysctl -p</code>.
Daemonizing =
Replace wg0 with the filename (without extension) you have in <code>/etc/wireguard/</code>.
<pre>
sudo systemctl enable --now wg-quick@wg0
</pre>