How to setup WireGuard on a Debian-based server

Installation

We 're going too install wireguard and qrencode on the server trough running the commands below:

apt install wireguard qrencode


Server-side configuration

Key Generation

After installation the next step is the creation of a private and a public key for the WireGuard server.

First step is creating the private key:

wg genkey | sudo tee /etc/wireguard/private.key

Adjust the rights of the file:

chmod go= /etc/wireguard/private.key

Never share the private key, or your VPN will be compromised!

Next step is generating the public from the private key:

cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key

After the keys are created we can create a configuration file for WireGuard

nano /etc/wireguard/wg0.conf

Add following settings:

[Interface]
Address = 10.10.10.1
PrivateKey = <PRIVATE_KEY_SERVER>
ListenPort = 51820

[Peer]
PublicKey = <PUBLIC_KEY_CLIENT>
PresharedKey = <PRE_SHARED_KEY>
AllowedIPs = 10.10.10.2/32 

Client-side configuration

Key generation

Creation of a private, a public and a preshared key for the WireGuard Client on the server:

mkdir -p /etc/wireguard/clients; wg genkey | sudo tee /etc/wireguard/clients/mobile.key | wg pubkey | sudo tee /etc/wireguard/clients/mobile.key.pub; wg genpsk | sudo tee /etc/wireguard/clients/mobile.psk.key

nano /etc/wireguard/clients/mobile.conf


[Interface]
PrivateKey = <ENTER_PRIVATE_KEY_CLIENT>
Address = 10.10.10.2/24
DNS = 10.10.10.1

[Peer]
PublicKey = <ENTER_PUBLIC_KEY_SERVER>
PreSharedKey = <ENTER_PRE_SHARED_KEY>
AllowedIPs = 0.0.0.0/0
Endpoint = <ENTER_PUBLIC_IP_OF_SERVER>:<ENTER_PORT_NUMBER>

Create QR-code for easy setup on mobile device

cat /etc/wireguard/clients/mobile.conf | qrencode -o wireguard-android-conf.png

Starting WireGuard on the server

wg-quick up wg0

Enable WireGuard after every system reboot

systemctl enable wg-quick@wg0

If you want multiple clients to connect to the wireguard server, you should repeat the above steps for every client.
The config file on the server should look like the one below.

[Interface]
Address = 10.10.10.1
PrivateKey = <PRIVATE_KEY_SERVER>
ListenPort = 51820

[Peer]
PublicKey = <PUBLIC_KEY_CLIENT_1>
PresharedKey = <PRE_SHARED_KEY_1>
AllowedIPs = 10.10.10.2/32 

[Peer]
PublicKey = <PUBLIC_KEY_CLIENT_2>
PresharedKey = <PRE_SHARED_KEY_2>
AllowedIPs = 10.10.10.3/32