How to Configure a WireGuard VPN Server on Debian 12 Bookworm

Introduction

WireGuard is a modern, lightweight, and fast VPN protocol designed to be simple yet highly secure. Unlike traditional VPN solutions such as OpenVPN or IPSec, WireGuard aims to be easier to configure and maintain while providing state-of-the-art cryptography. It is particularly well-suited for use on Linux-based systems, including Debian 12 Bookworm.

In this guide, we will walk you through setting up a WireGuard VPN server on a Debian 12 system. We will cover the installation, configuration, key management, firewall settings, and client connection.

Prerequisites

Before proceeding, ensure you have the following:

• A Debian 12 Bookworm server with root or sudo access
• A static public IP address (or a domain name pointing to your server)
• Basic knowledge of Linux command-line usage

Step 1: Install WireGuard

WireGuard is included in the default repositories of Debian 12, making installation straightforward. Run the following command to install it:

sudo apt update && sudo apt install -y wireguard

To verify the installation, check the version:

wg --version

Step 2: Generate Server Keys

WireGuard uses public and private key pairs for authentication. Generate these keys using the following commands:

cd /etc/wireguard
sudo umask 077
sudo wg genkey | tee privatekey | wg pubkey > publickey

To view the keys, use:

cat privatekey
cat publickey

The privatekey will be used in the WireGuard configuration, while the publickey will be shared with clients.

Step 3: Configure WireGuard Server

Create a new configuration file for the WireGuard interface (e.g., wg0):

sudo nano /etc/wireguard/wg0.conf

Add the following content, replacing <YOUR_PRIVATE_KEY> with the actual private key:

[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = <YOUR_PRIVATE_KEY>
SaveConfig = true
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

• Address: Assigns the VPN server an internal IP address.
• ListenPort: Specifies the port WireGuard will listen on (default is 51820).
• PrivateKey: Holds the private key generated earlier.
• SaveConfig: Ensures changes made via wg commands are saved.
• PostUp & PostDown: Configures NAT and forwarding rules.

Save the file and exit.

Step 4: Enable IP Forwarding

To allow traffic forwarding through the VPN, enable IP forwarding by editing the sysctl configuration:

sudo nano /etc/sysctl.conf

Uncomment or add the following line:

net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

Step 5: Configure Firewall Rules

If you use UFW, allow WireGuard traffic:

sudo ufw allow 51820/udp
sudo ufw enable

For iptables, use:

sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT
sudo iptables -A FORWARD -i wg0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

To make iptables rules persistent:

sudo apt install -y iptables-persistent
sudo netfilter-persistent save

Step 6: Start and Enable WireGuard

Enable and start WireGuard:

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0

Check the status:

sudo systemctl status wg-quick@wg0

Step 7: Add Clients

For each client, generate a key pair and configure it accordingly. On the server, add a peer by modifying /etc/wireguard/wg0.conf:

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.0.0.2/32

Restart WireGuard to apply changes:

sudo systemctl restart wg-quick@wg0

On the client machine, create a WireGuard configuration file, such as wg-client.conf:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.0.0.2/24
DNS = 8.8.8.8

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_IP>:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Start WireGuard on the client:

sudo wg-quick up wg-client

Step 8: Verify Connectivity

Check the WireGuard interface on the server:

sudo wg show

Test connectivity from the client by pinging the server:

ping 10.0.0.1

If everything is configured correctly, the VPN should be operational.

Conclusion

Congratulations! You have successfully set up a WireGuard VPN server on Debian 12 Bookworm. This configuration provides secure and efficient encrypted communication between your server and connected clients. You can expand your setup by adding more clients, configuring advanced firewall rules, or setting up a DNS resolver for enhanced privacy.