WireGuard® is an extremely simple, fast and modern VPN that uses state-of-the-art cryptography. Its goal is to be faster and simpler than other implementations like IPSec and OpenVPN.
All node communication is done using peers and all communication between peers is done over the UDP protocol. Each peer acts as client and server.
With Wireguard you can create a secure internal network since all traffic is encrypted so it is not susceptible to man-in-the-middle attacks (mitm attack), it can also be used as a proxy to access blocked sites or simply to hide your external IP .
⚠️ Note: The steps have been indicated for Debian 10, in case you have a version 11, 12 or higher, the steps indicated are not necessary.
Enable backports repository (Debian 10)
# echo 'deb http://deb.debian.org/debian buster-backports main' >> /etc/apt/sources.list
Dowload packages information
# apt update
Install linux-headers (Debian 10)
# apt install linux-headers-$(uname --kernel-release) dkms
# apt install wireguard
Load wireguard module (Debian 10)
# modprobe wireguard
Test if module bas been loaded (Debian 10)
# lsmod |grep wireguard wireguard 204800 0 ip6_udp_tunnel 16384 1 wireguard udp_tunnel 16384 1 wireguard
Load module automatically (Debian 10)
# echo wireguard >> /etc/modules
Move to /etc/wireguard DIR
# cd /etc/wireguard
Create the DIR to store public and private key (Optional)
# mkdir keys
Change permission mask
Guarantee that only root has access to the configuration files and private keys.
# umask 077
Generate private key
# wg genkey > keys/private
Generate public key
# wg pubkey < keys/private >keys/public
Create configuration file wg0.conf
[Interface] PrivateKey = Put here the private key ListenPort = 51820 # IP address of this peer can be # any value in the range assigned to LAN networks Address = 10.1.1.1/32 # Client peers # In this part we put all the peers with which this peer will communicate [Peer] PublicKey = Put here the public key of the client peer # # IP address of the client peer, this is a reachable IP address, for example # any IP address from your local area network or a public IP, in other words # all peers must be able to communicate over another type of network before configuring # Wireguard, in this case we are assuming that both peers are on the same LAN # for example: 192.168.100.0/24 Endpoint = 192.168.100.1:51820 # # IP address of the client peer in the VPN AllowedIPs = 10.1.1.2/32 # # Send a packet every 25s to keep the connection alive, useful for # NAT fire walls PersistentKeepalive = 25
Handle as a service
# systemctl enable wg-quick@wg0 Created symlink /email@example.com → /lib/systemd/system/wg-quick@.service.
# systemctl start wg-quick@wg0
# systemctl status wg-quick@wg0
# systemctl restart wg-quick@wg0
# systemctl stop wg-quick@wg0
Recompile Wireguard module (Debian 10)
After upgrading Debian 10 and rebooting the OS your VPN does not work so you must recompile the module with the following command:
# dkms autoinstall