How to install VPN server and Wireguard client on Debian Linux machine

Virtual Private Network (VPN) software technology was used by enterprises several years ago to securely establish connections between offices and to provide travel workers with access to their own applications. Since then, VPN has proven to be a useful technology for people who want to protect their privacy or access geographically restricted services from other regions. It was very difficult to set up a self-hosted VPN service until now, but now Wireguard VPN is here.

Wireguard has been in development for several years. An important milestone, version 1.0, was reached in March 2020. At the same time, it was included in the 5.6 Linux kernel. Since not many (server) computers in production use the latest kernel, Wireguard must be installed and configured on these machines to work safely on the network. In this article, we install Wireguard on Debian Linux machines that act as VPN server and client.

Installing Wireguard on Debian

Note. Before installing Wireguard from apt package management, save your iptables settings (for example, you can enter the command: iptables-save> firewall.rules). An earlier version of the installation package will remove the existing iptables settings and replace them with their own firewall rules. To start the installation, open your terminal and type it in the command line:

 apt-get install wireguard-tools
 apt-get install wireguard-dkms
 apt-get install wireguard

You may also need to install:

 apt-get install dkms

After running these commands, check that everything you need for Wireguard is installed:

 modprobe wireguard

If the command doesn’t output anything, all the required modules should be there.

Wireguard server setup

The exact same Wireguard software is installed on Linux servers and clients, because the VPN configuration of each computer determines its role. Wireguard apps are also available for Windows, Android, Apple MacOS and iOS. Let’s get started on customization by creating a directory for Wireguard settings:

 mkdir  /etc/wireguard
 chmod 700  /etc/wireguard

Create the private and public keys that are required to establish secure tunnels between the server and its clients:

cd  /etc/wireguard
wg genkey|tee privatekey|wg pubkey>publickey

In the editor application, create a wg0.conf file in the / etc / wireguard directory and paste the following lines into it:

 [Interface]
 Address=192.168.2.1
 PrivateKey=
 ListenPort=51820

The interface address can be any IP from the private IP address space as long as you are using the same subnet for clients.

Copy and paste the value in the Privatekey field from the / etc / wireguard / privatekey file.

Listenport can be any free port, 51820 is the default for Wireguard.

Configuring the Wireguard VPN Client

If you are going to set up one or more VPN clients, now is the time to make sure that you can easily copy keys from one device to another. We used Nextcloud as a temporary storage for transferring keys from one device to another, but Yandex Disk, Evernote, Dropbox, email or any other service that you trust and which is convenient to use is fine.

Install the same software packages on the Linux client as on the server. Verify that all required modules are installed using the modprobe command.

Create private and public keys in the / etc / wireguard directory as you did on the server.

Create the following wg0.conf file in the client / etc / wireguard directory in an editor.

[Peer]
PublicKey=
Endpoint= . . . :51820
AllowedIPs=0.0.0.0/0
#if this computer is behind a NAT, add line:
PersistentKeepAlive = 25

Publickey is the server’s public key (/ etc / wireguard / publickey), which you should copy from the server and paste here.

The endpoint is the server’s public IP followed by the server’s Wireguard port.

If AllowedIPs are all zeros, all network traffic from this computer is routed through the VPN when the tunnel is enabled. You can choose which traffic will be routed through the VPN by changing the value of this field.

To complete the client configuration, you must also edit the wg0.conf file on the server. Insert the following lines at the end of the file:

[Peer]
#home laptop
PublicKey=
AllowedIPs=192.168.2.2/32

Publickey: You must insert the public key of the client computer here.

AllowedIPs specifies the client’s IP address inside the VPN tunnel.

You can now test your new VPN if it connects your computers securely. Enter the following command on both the server and client:

wg-quick up wg0

On the client, check if it can communicate with the server:

ping 192.168.2.1

(or ping 192.168.2.2 if you press on the server keyboard)

If you get a response, congratulations, you have a secure tunnel between these two computers. This, however, is not the end of the story. You probably want to connect to the public internet with a VPN. Requires a little more work: routing traffic to and from the tunnel from the Internet and from the tunnel.

Routing Wireguard VPN traffic to the Internet

Since this step uses the standard Linux firewall iptables, there are many ways to do this, and the correct settings also depend on the rules already stored in the server iptables. Here are the settings that worked for all of my Debian servers. Enter the following commands:

 iptables -A INPUT -p udp -m udp --dport 51820 -j ACCEPT
 iptables -A FORWARD -i wg0 -j ACCEPT
 iptables -A FORWARD -o wg0 -j ACCEPT

Try pinging, for example, google.com or yandex.ru. If you don’t get a response, the first place to troubleshoot is the operating system forwarding options.

Enter the following command to view the current network settings

 sysctl -a

The command displays a long list of items, but looks for the value net.ipv4.ip_forward If it is 0, forwarding to external addresses is disabled. Allow forwarding using the command:

 sysctl -w net.ipv4.ip_forward = 1

Ping to an external address for verification. If that works, you can make the setting permanent by creating the file /etc/systctl.d/local.conf and pasting this line into the file:

 net.ipv4.ip_forward = 1

(For tips on saving changes to the conf file, see the Debian readme file located in the sysctl.d directory).

Sidebar