WireGuard note on Linux Debian 10 in 2021 #
Linux version: Debian 10
VPN Server #
First, create a vm on cloud:
Run:
# admin
sudo su
# install wireguard
apt-get install wireguard
# set folder and set umask
cd /etc/wireguard
umask 002
# generate private and public key
wg genkey | tee privkey | wg pubkey > pubkey
# create config file
touch /etc/wireguard/wg0.conf
Create /etc/wireguard/wg0.conf
:
[Interface]
Address = <VPN_SREVER_IP>
ListenPort = <VPN_SREVER_PORT>
PrivateKey = <VPN_SERVER_PRIVATE_KEY>
# substitute eth0 in the following lines to match the Internet-facing interface
# if the server is behind a router and receives traffic via NAT, these iptables rules are not needed
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth4 -j MASQUERADE
Enable following settings on /etc/sysctl.d/99-sysctl.conf
:
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding=1
Then activate new settings:
sysctl -p
Enable wireguard service when (re)start the server:
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
Extra, restart wireguard service if the settings changed:
wg addconf wg0 <(wg-quick strip wg0)
VPN Client #
[Interface]
Address = <CLIENT_IP>
PrivateKey = <CLIENT_PRIVATE_KEY>
[Peer]
AllowedIPs = 0.0.0.0/0 # traffic to vpn
Endpoint = <VPN_SERVER_DOMAIN_OR_IP>
PersistentKeepalive = 30
PublicKey = <VPN_SERVER_PUBLIC_KEY>
Then add to vpn server congig:
[Peer]
AllowIPs = <VPN_CLIENT_IP>
PublicKey = <CLIENT_PUBLIC_KEY>
Trouble shooting #
Unable to access interface: Protocol not supported #
Error:
wg-quick[9098]: [#] ip link add wg0 type wireguard
wg-quick[9098]: RTNETLINK answers: Operation not supported
wg-quick[9098]: Unable to access interface: Protocol not supported
Solution:
apt install linux-headers-$(uname -r)
Unable to connect LAN behind the VPN server #
Run:
iptables -t nat -A POSTROUTING -j MASQUERADE