WireGuard note on Linux Debian 10 in 2021 #

Linux version: Debian 10

VPN Server #

First, create a vm on cloud:

Run:

# admin
sudo su

# install wireguard
apt-get install wireguard

# set folder and set umask
cd /etc/wireguard
umask 002

# generate private and public key
wg genkey | tee privkey | wg pubkey > pubkey

# create config file
touch /etc/wireguard/wg0.conf

Create /etc/wireguard/wg0.conf:

[Interface]
Address = <VPN_SREVER_IP>
ListenPort = <VPN_SREVER_PORT>
PrivateKey = <VPN_SERVER_PRIVATE_KEY>

# substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receives traffic via NAT, these iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth4 -j MASQUERADE

Enable following settings on /etc/sysctl.d/99-sysctl.conf:

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1

Then activate new settings:

sysctl -p

Enable wireguard service when (re)start the server:

systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0

Extra, restart wireguard service if the settings changed:

wg addconf wg0 <(wg-quick strip wg0)

VPN Client #

[Interface]
Address = <CLIENT_IP>
PrivateKey = <CLIENT_PRIVATE_KEY>

[Peer]
AllowedIPs = 0.0.0.0/0 # traffic to vpn
Endpoint = <VPN_SERVER_DOMAIN_OR_IP>
PersistentKeepalive = 30
PublicKey = <VPN_SERVER_PUBLIC_KEY>

Then add to vpn server congig:

[Peer]
AllowIPs = <VPN_CLIENT_IP>
PublicKey = <CLIENT_PUBLIC_KEY>

Trouble shooting #

Unable to access interface: Protocol not supported #

Error:

wg-quick[9098]: [#] ip link add wg0 type wireguard
wg-quick[9098]: RTNETLINK answers: Operation not supported
wg-quick[9098]: Unable to access interface: Protocol not supported

Solution:

apt install linux-headers-$(uname -r)

Unable to connect LAN behind the VPN server #