WireGuard

How to install and configure WireGuard on Debian

WireGuard is a modern VPN based on strong cryptography with a small attack surface. This page shows a practical Debian setup: server configuration, peers, key generation, IP forwarding, and basic firewall/NAT rules.

1) Install WireGuard

sudo apt update
sudo apt upgrade -y
sudo apt install -y wireguard

2) Generate keys (server or client)

Store keys in /etc/wireguard and protect permissions properly. 

sudo install -d -m 0700 /etc/wireguard

wg genkey | sudo tee /etc/wireguard/private.key >/dev/null
sudo chmod 0600 /etc/wireguard/private.key

sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key >/dev/null
sudo chmod 0644 /etc/wireguard/public.key

3) Choose IP ranges

Example internal networks:

  • IPv4: 10.0.1.0/24
  • IPv6 (ULA): fdxx:xxxx:xxxx::/64 (replace with your own prefix)

Tip: for IPv6 Unique Local Addresses (ULA), use a prefix starting with fd.

4) Server configuration

/etc/wireguard/wg0.conf

Replace placeholders like SERVER_PRIVATE_KEY and interface name eth0. The default WireGuard UDP port is 51820, but you can choose a custom port. 

[Interface]
PrivateKey = SERVER_PRIVATE_KEY
Address = 10.0.1.1/24, fdxx:xxxx:xxxx::1/64
ListenPort = 51820

# NAT for IPv4 and IPv6 (example using iptables)
# Replace eth0 with your public interface name
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PreDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

# Peer example (client)
[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.1.2/32, fdxx:xxxx:xxxx::2/128
  • AllowedIPs on the server defines which client addresses are valid routes via that peer.
  • Use one unique IPv4/IPv6 per peer (no overlaps).
  • Use PersistentKeepalive on clients behind NAT (not needed on the server).

5) Enable IP forwarding

Required if you want the server to route traffic between WireGuard peers and the internet/LAN. 

sudo tee /etc/sysctl.d/99-wireguard-forwarding.conf >/dev/null <<'EOF'
net.ipv4.ip_forward=1
net.ipv6.conf.all.forwarding=1
EOF

sudo sysctl --system

6) Firewall

Open the WireGuard UDP port on the server firewall. Example for UFW: 

sudo ufw allow 51820/udp

If you do not use UFW, ensure your firewall allows inbound UDP on the WireGuard port.

7) Start the tunnel

sudo systemctl enable --now wg-quick@wg0.service
sudo systemctl status wg-quick@wg0.service --no-pager

Useful status commands: 

sudo wg show
ip a show wg0

8) Client configuration

/etc/wireguard/wg0.conf (client)

Replace CLIENT_PRIVATE_KEY and SERVER_PUBLIC_KEY. Use your server public IP and WireGuard UDP port. 

[Interface]
PrivateKey = CLIENT_PRIVATE_KEY
Address = 10.0.1.2/24, fdxx:xxxx:xxxx::2/64

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = YOUR.SERVER.IP.ADDRESS:51820

# Option A (split tunnel): only VPN subnet traffic goes through WireGuard
AllowedIPs = 10.0.1.0/24, fdxx:xxxx:xxxx::/64

# Option B (full tunnel): route all traffic via VPN
# AllowedIPs = 0.0.0.0/0, ::/0

# Keepalive recommended for clients behind NAT
PersistentKeepalive = 25

Start client tunnel: 

sudo systemctl enable --now wg-quick@wg0.service
sudo wg show

Security notes

  • Protect private keys: keep /etc/wireguard readable only by root.
  • Restrict AllowedIPs: avoid broad ranges unless you intend full tunneling.
  • Unique peer IPs: each peer should have strict and unique IP allocation.
  • Firewall: only allow inbound UDP on the WireGuard port.

WireGuard Sections

Documentation