How to install Wireguard VPN in Debian?

Español English

WireGuard® is an extremely simple, fast and modern VPN that uses state-of-the-art cryptography. Its goal is to be faster and simpler than other implementations like IPSec and OpenVPN.

All node communication is done using peers and all communication between peers is done over the UDP protocol. Each peer acts as client and server.

With Wireguard you can create a secure internal network since all traffic is encrypted so it is not susceptible to man-in-the-middle attacks (mitm attack), it can also be used as a proxy to access blocked sites or simply to hide your external IP .

⚠️ Note: The steps have been indicated for Debian 10, in case you have a version 11, 12 or higher, the steps indicated are not necessary.

Enable backports repository (Debian 10)

# echo 'deb buster-backports main' >> /etc/apt/sources.list

Dowload packages information

# apt update

Install linux-headers (Debian 10)

# apt install linux-headers-$(uname --kernel-release) dkms

Install wireguard

# apt install wireguard

Load wireguard module (Debian 10)

# modprobe wireguard

Test if module bas been loaded (Debian 10)

# lsmod |grep wireguard
wireguard             204800  0
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             16384  1 wireguard

Load module automatically (Debian 10)

# echo wireguard >> /etc/modules

Move to /etc/wireguard DIR

#  cd /etc/wireguard

Create the DIR to store public and private key (Optional)

# mkdir keys

Change permission mask

Guarantee that only root has access to the configuration files and private keys.

# umask 077

Generate private key

# wg genkey > keys/private 

Generate public key

# wg pubkey < keys/private >keys/public

Create configuration file wg0.conf

PrivateKey = Put here the private key 
ListenPort = 51820
# IP address of this peer can be
# any value in the range assigned to LAN networks
Address = 

# Client peers
# In this part we put all the peers with which this peer will communicate
PublicKey = Put here the public key of the client peer
# IP address of the client peer, this is a reachable IP address, for example
# any IP address from your local area network or a public IP, in other words
# all peers must be able to communicate over another type of network before configuring
# Wireguard, in this case we are assuming that both peers are on the same LAN
# for example:
Endpoint =
# IP address of the client peer in the VPN
AllowedIPs =
# Send a packet every 25s to keep the connection alive, useful for
# NAT fire walls
PersistentKeepalive = 25

Handle as a service

Start automatically

# systemctl enable wg-quick@wg0
Created symlink /etc/systemd/system/ → /lib/systemd/system/wg-quick@.service.


# systemctl start wg-quick@wg0

Show status

# systemctl status wg-quick@wg0


# systemctl restart wg-quick@wg0


# systemctl stop wg-quick@wg0

Recompile Wireguard module (Debian 10)

After upgrading Debian 10 and rebooting the OS your VPN does not work so you must recompile the module with the following command:

# dkms autoinstall

YouTube video

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.