How to setup WireGuard on a Debian-based server
Installation
We 're going too install wireguard and qrencode on the server trough running the commands below:
apt install wireguard qrencode
Server-side configuration
Key Generation
After installation the next step is the creation of a private and a public key for the WireGuard server.
First step is creating the private key:
wg genkey | sudo tee /etc/wireguard/private.key
Adjust the rights of the file:
chmod go= /etc/wireguard/private.key
Never share the private key, or your VPN will be compromised!
Next step is generating the public from the private key:
cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
After the keys are created we can create a configuration file for WireGuard
nano /etc/wireguard/wg0.conf
Add following settings:
[Interface]
Address = 10.10.10.1
PrivateKey = <PRIVATE_KEY_SERVER>
ListenPort = 51820
[Peer]
PublicKey = <PUBLIC_KEY_CLIENT>
PresharedKey = <PRE_SHARED_KEY>
AllowedIPs = 10.10.10.2/32
Client-side configuration
Key generation
Creation of a private, a public and a preshared key for the WireGuard Client on the server:
mkdir -p /etc/wireguard/clients; wg genkey | sudo tee /etc/wireguard/clients/mobile.key | wg pubkey | sudo tee /etc/wireguard/clients/mobile.key.pub; wg genpsk | sudo tee /etc/wireguard/clients/mobile.psk.key
nano /etc/wireguard/clients/mobile.conf
[Interface]
PrivateKey = <ENTER_PRIVATE_KEY_CLIENT>
Address = 10.10.10.2/24
DNS = 10.10.10.1
[Peer]
PublicKey = <ENTER_PUBLIC_KEY_SERVER>
PreSharedKey = <ENTER_PRE_SHARED_KEY>
AllowedIPs = 0.0.0.0/0
Endpoint = <ENTER_PUBLIC_IP_OF_SERVER>:<ENTER_PORT_NUMBER>
Create QR-code for easy setup on mobile device
cat /etc/wireguard/clients/mobile.conf | qrencode -o wireguard-android-conf.png
Starting WireGuard on the server
wg-quick up wg0
Enable WireGuard after every system reboot
systemctl enable wg-quick@wg0
If you want multiple clients to connect to the wireguard server, you should repeat the above steps for every client.
The config file on the server should look like the one below.
[Interface]
Address = 10.10.10.1
PrivateKey = <PRIVATE_KEY_SERVER>
ListenPort = 51820
[Peer]
PublicKey = <PUBLIC_KEY_CLIENT_1>
PresharedKey = <PRE_SHARED_KEY_1>
AllowedIPs = 10.10.10.2/32
[Peer]
PublicKey = <PUBLIC_KEY_CLIENT_2>
PresharedKey = <PRE_SHARED_KEY_2>
AllowedIPs = 10.10.10.3/32