Setting Up WireGuard VPN on Debian 13

TL;DR

To set up WireGuard VPN on Debian 13, follow these essential steps:

  1. Install WireGuard: Get the modern VPN solution installed.

    sudo apt update && sudo apt install wireguard wireguard-tools -y  # Install WireGuard
    
  2. Generate Server Keys: Create cryptographic keys for secure connections.

    sudo mkdir /etc/wireguard && cd /etc/wireguard  # Create config directory
    umask 077  # Secure permissions
    wg genkey | sudo tee server_private.key | wg pubkey | sudo tee server_public.key
    
  3. Create Server Configuration: Set up /etc/wireguard/wg0.conf with your keys.

    sudo nano /etc/wireguard/wg0.conf
    

    Add:

    [Interface]
    PrivateKey = <server_private_key>
    Address = 10.0.0.1/24
    ListenPort = 51820
    
    [Peer]
    PublicKey = <client_public_key>
    AllowedIPs = 10.0.0.2/32
    
  4. Enable IP Forwarding: Allow traffic routing through the VPN.

    echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p  # Apply changes
    
  5. Configure Firewall: Allow VPN traffic and set up routing.

    sudo ufw allow 51820/udp  # Allow WireGuard port
    sudo iptables -A INPUT -i wg0 -j ACCEPT  # Allow VPN interface traffic
    sudo iptables -A FORWARD -i wg0 -j ACCEPT  # Forward VPN traffic
    
  6. Start WireGuard: Activate the VPN interface.

    sudo wg-quick up wg0  # Start WireGuard interface
    sudo systemctl enable wg-quick@wg0  # Enable on boot
    
  7. Verify Connection: Check that WireGuard is running properly.

    sudo wg show  # Display active connections
    sudo systemctl status wg-quick@wg0  # Check service status
    

Security Notes: Always protect private keys with secure permissions. Use unique keys for each client. Monitor connections regularly. Consider using a firewall to restrict access to the WireGuard port from specific IPs only.

WireGuard is a modern VPN solution that is simple, fast, and secure. This guide will walk you through setting up a WireGuard VPN on Debian 13, ensuring that you follow best practices for security and configuration.

Quick Overview

To set up WireGuard VPN on Debian 13, follow these steps:

  1. Install WireGuard: Update your package list and install WireGuard:

    sudo apt update && sudo apt install wireguard wireguard-tools -y
    
  2. Generate Key Pairs: Create a private and public key for the server:

    umask 077  # Ensure keys are created with secure permissions
    wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
    
  3. Configure WireGuard: Create a configuration file at /etc/wireguard/wg0.conf:

    sudo nano /etc/wireguard/wg0.conf
    

    Add the following content, adjusting the private key and IP address as needed:

    [Interface]
    PrivateKey = <server-private-key>
    Address = 10.0.0.1/24  # Use a private subnet
    ListenPort = 51820
    
    [Peer]
    PublicKey = <client-public-key>
    AllowedIPs = 10.0.0.2/32  # Client's VPN IP
    
  4. Enable IP Forwarding: Allow IP forwarding to enable traffic routing:

    echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
    sudo sysctl -p  # Apply changes
    
  5. Start WireGuard: Start the WireGuard interface:

    sudo wg-quick up wg0
    ```text
    
  6. Set Up Firewall Rules: Use iptables to allow VPN traffic:

    sudo iptables -A INPUT -i wg0 -j ACCEPT
    sudo iptables -A FORWARD -i wg0 -j ACCEPT
    sudo iptables -A FORWARD -o wg0 -j ACCEPT
    sudo iptables -A OUTPUT -o wg0 -j ACCEPT
    
  7. Persist Configuration: To ensure WireGuard starts on boot:

    sudo systemctl enable wg-quick@wg0
    

Caution: Always secure your private keys and restrict access to the configuration files. Use strong, unique keys for each client.

Understanding WireGuard Network Architecture

Understanding the WireGuard network topology is essential for proper configuration and troubleshooting. Here’s how WireGuard creates a secure VPN tunnel:

WireGuard VPN Network Topology

    Internet                    VPN Tunnel                 Internal Network
       |                    (10.0.0.0/24)                       |
   [Client A]                                              [Internal Server]
   10.0.0.2  <-----------> [WireGuard Server] <---------> 192.168.1.10
       |                   Public IP: X.X.X.X                   |
   [Client B]              VPN IP: 10.0.0.1                [Database Server]
   10.0.0.3  <--------------Port: 51820 UDP---------------> 192.168.1.20
       |                                                        |
   [Client C]                                              [File Server]
   10.0.0.4                 Firewall Rules:               192.168.1.30
       |                   - Allow 51820/UDP                    |
       v                   - Forward 10.0.0.0/24               |
   Authentication          - IP forwarding enabled             |
   & Encryption            - NAT for internal access           |

Traffic Flow:
1. Client authenticates with public/private key pair
2. Encrypted tunnel established over UDP port 51820
3. Client traffic routed through VPN (10.0.0.0/24)
4. Server forwards traffic to internal network (192.168.1.0/24)
5. Return traffic encrypted and sent back through tunnel

**Key Components:**
- **Server**: Acts as VPN gateway with public IP and VPN IP (10.0.0.1)
- **Clients**: Connect with unique VPN IPs (10.0.0.2, 10.0.0.3, etc.)
- **Tunnel**: Encrypted UDP connection on port 51820
- **Routing**: IP forwarding allows access to internal network resources

## Installation of WireGuard

To install WireGuard on your Debian 13 server, follow these steps:

First, ensure your package list is up to date and install the WireGuard package along with the necessary tools:
sudo apt update && sudo apt upgrade -y  # Update package list and upgrade installed packages
sudo apt install wireguard wireguard-tools -y  # Install WireGuard and its tools

Next, verify the installation by checking the WireGuard version:

wg --version  # Check the installed WireGuard version

After confirming the installation, you need to set up the WireGuard configuration. Create a directory for your WireGuard configuration files:
sudo mkdir /etc/wireguard  # Create WireGuard configuration directory

Now, generate the private and public keys for the server:

umask 077  # Set permissions to restrict access to the keys
wg genkey | sudo tee /etc/wireguard/server_private.key  # Generate private key
wg pubkey < /etc/wireguard/server_private.key | sudo tee /etc/wireguard/server_public.key  # Generate public key

Make sure to keep your private key secure and never share it. You can view your public key with:
sudo cat /etc/wireguard/server_public.key  # Display the public key

Next, create the WireGuard configuration file. Use a text editor to create /etc/wireguard/wg0.conf:

sudo nano /etc/wireguard/wg0.conf  # Open the configuration file in nano

Add the following basic configuration, replacing `<ServerPrivateKey>` and `<YourServerIP>` with your actual private key and server's public IP address:
[Interface]
Address = 10.0.0.1/24  # VPN subnet
ListenPort = 51820  # Default WireGuard port
PrivateKey = <ServerPrivateKey>

[Peer]
PublicKey = <ClientPublicKey>  # Client's public key
AllowedIPs = 10.0.0.2/32  # Client's VPN IP

Finally, set the correct permissions for the configuration file:

sudo chmod 600 /etc/wireguard/wg0.conf  # Secure the configuration file

You are now ready to start the WireGuard service.

## Configuration of WireGuard Server

To configure the WireGuard server, follow these steps:

1. **Generate Server Keys**: First, create a directory for WireGuard and generate the private and public keys.

   ```bash
   sudo mkdir -p /etc/wireguard
   cd /etc/wireguard
   umask 077  # Ensure private key is not accessible by others
   wg genkey | sudo tee server_private.key | wg pubkey | sudo tee server_public.key
   ```text

2. **Create the Configuration File**: Create a configuration file named `wg0.conf`.

sudo nano /etc/wireguard/wg0.conf


Add the following content, adjusting the `PrivateKey`, `Address`, and `ListenPort` as needed:

[Interface] PrivateKey = <server_private_key> # Replace with the content of server_private.key Address = 10.0.0.1/24 # VPN subnet ListenPort = 51820 # Default WireGuard port

[Peer] PublicKey = <client_public_key> # Replace with the client’s public key AllowedIPs = 10.0.0.2/32 # Client’s VPN IP


3. **Enable IP Forwarding**: To allow traffic to flow through the VPN, enable IP forwarding.

echo “net.ipv4.ip_forward=1” | sudo tee -a /etc/sysctl.conf sudo sysctl -p # Apply changes


4. **Start the WireGuard Interface**: Bring up the WireGuard interface using the following command.

sudo wg-quick up wg0 # Start the WireGuard interface


5. **Set Up Firewall Rules**: If you have a firewall, allow traffic on the WireGuard port.

ufw allow 51820/udp # Allow WireGuard traffic


6. **Persist the Configuration**: To ensure WireGuard starts on boot, enable the service.

sudo systemctl enable wg-quick@wg0 # Enable WireGuard to start at boot


**Caution**: Always ensure your private keys are kept secure and never shared. Use strong, unique keys for each client.

## Configuration of WireGuard Client

To configure the WireGuard client on your Debian 13 server, follow these steps:

1. **Install WireGuard**: Ensure that WireGuard is installed on your client machine. If you haven't done so, run:

sudo apt update && sudo apt install wireguard


2. **Generate Key Pair**: Create a private and public key for your client. This is crucial for establishing a secure connection.

umask 077 # Set permissions to protect private key wg genkey | tee privatekey | wg pubkey > publickey


The private key will be stored in `privatekey` and the public key in `publickey`.

3. **Create Configuration File**: Create a configuration file for your WireGuard client. Replace `<YOUR_PRIVATE_KEY>`, `<SERVER_PUBLIC_KEY>`, `<SERVER_IP>`, and `<CLIENT_IP>` with your actual keys and IP addresses.

sudo nano /etc/wireguard/wg0.conf


Add the following content:

[Interface] PrivateKey = <YOUR_PRIVATE_KEY> Address = <CLIENT_IP>/24 # Use a unique IP for the client

[Peer] PublicKey = <SERVER_PUBLIC_KEY> Endpoint = <SERVER_IP>:51820 # Server’s public IP and port AllowedIPs = 0.0.0.0/0 # Route all traffic through the VPN PersistentKeepalive = 25 # Keep connection alive


**Caution**: Ensure that the `AllowedIPs` is set correctly to avoid routing issues. Setting it to `0.0.0.0/0` routes all traffic through the VPN, which is common for a client.

4. **Start WireGuard**: Bring up the WireGuard interface with the following command:

sudo wg-quick up wg0


5. **Enable on Boot**: To ensure WireGuard starts on boot, enable the service:

sudo systemctl enable wg-quick@wg0


6. **Check Status**: Verify that the WireGuard interface is up and running:

sudo wg show


By following these steps, your WireGuard client should be properly configured and ready to connect to the VPN server.

## Firewall and Routing Setup

To ensure secure communication through your WireGuard VPN, you need to configure the firewall and routing settings on your Debian 13 server.

First, install `iptables` if it is not already installed:
sudo apt update
sudo apt install iptables
```text

Next, configure `iptables` to allow traffic through the WireGuard port (default is 51820). You may also want to allow traffic for the VPN subnet. Replace `10.0.0.0/24` with your actual VPN subnet.

```bash
sudo iptables -A INPUT -p udp --dport 51820 -j ACCEPT

## Allow traffic from the VPN subnet
sudo iptables -A INPUT -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT
sudo iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

## Allow outgoing traffic to the VPN subnet
sudo iptables -A OUTPUT -d 10.0.0.0/24 -j ACCEPT

To ensure that your changes persist after a reboot, install `iptables-persistent`:
sudo apt install iptables-persistent
```text

During installation, you will be prompted to save the current `iptables` rules. Choose "Yes" to save.

Next, enable IP forwarding to allow traffic to flow between the VPN and the internet. Edit the `/etc/sysctl.conf` file:

```bash
sudo nano /etc/sysctl.conf

Uncomment or add the following line:
net.ipv4.ip_forward=1

Apply the changes:

sudo sysctl -p

## Troubleshooting

### Issue: VPN Connection Fails

**Symptoms:**
- Connection timeout when trying to establish VPN tunnel
- "Connection refused" or "No route to host" errors

**Cause:**
- Firewall blocking VPN ports
- Incorrect server configuration
- Network routing issues

**Solution:**
## Check if VPN service is running
sudo systemctl status wg

## Verify firewall allows VPN traffic
sudo ufw status | grep 1194

## Check routing table
ip route show

Prevention:

  • Document firewall rules during setup
  • Monitor VPN service with systemd
  • Keep configuration backups

Issue: Authentication Failures

Symptoms:

  • “Authentication failed” errors
  • Certificate validation errors

Cause:

  • Expired certificates
  • Incorrect credentials
  • Certificate path mismatch

Solution:

## Check certificate validity
openssl x509 -in /path/to/cert.pem -text -noout | grep "Not After"

## Verify certificate permissions
ls -l /path/to/cert.pem

## Test with verbose logging
wg --verb 4

**Prevention:**
- Set up certificate expiration monitoring
- Use proper certificate management
- Document authentication setup

---

### Issue: Performance Degradation

**Symptoms:**
- Slow connection speeds
- High latency
- Packet loss

**Cause:**
- MTU size misconfiguration
- CPU/memory constraints
- Network congestion

**Solution:**
## Test MTU size
ping -M do -s 1400 [vpn-server]

## Check system resources
top
htop

## Monitor VPN throughput
iftop -i tun0
```text

**Prevention:**
- Set appropriate MTU values
- Monitor resource usage
- Use QoS settings if available


## Related Guides

- **Edge Computing Security for IoT Gateways on Debian**  
  Learn to secure IoT gateways [on Debian 13](/posts/quantum-safe-cryptography-preparation-on-debian-13/) using edge computing, with practical steps for setup, network security, encryption, and threat monitoring.

- **Backing Up PostgreSQL with pgBackRest**  
  Complete guide to secure PostgreSQL backups with pgBackRest on Debian

- **Configuring Dovecot for Secure IMAP**  
  Learn how to securely configure Dovecot for IMAP [on Debian 13](/posts/using-nftables-instead-of-iptables-on-debian-13/) with step-by-step

- **Postfix Secure SMTP Setup on Debian**  
  Learn how to securely set up Postfix SMTP [on Debian 13](/posts/quantum-safe-cryptography-preparation-on-debian-13/) with TLS encryption,

- **Debian Firewall Rules for Kubernetes Nodes**  
  Secure Kubernetes nodes on Debian 13: iptables rules for kubelet, API
- **Secure Remote Desktop with X2Go over SSH**
- **[Using Tailscale WireGuard Mesh VPN](/posts/using-tailscale-wireguard-mesh-vpn-for-private-admin-access/)**

## Verification

**Check Service Status**

```bash
sudo systemctl status wg
## Expected: active (running)

**Verify Configuration**
## Check configuration files are in place
ls -l /etc/

Test Functionality

## Test the configured functionality
## Add specific test commands for your setup

## Rollback Procedure

If you need to revert these changes:

**1. Stop the Service**
sudo systemctl stop wg

2. Restore Configuration

## Restore from backup (create backups before making changes)
sudo cp /etc/[config_file].backup /etc/[config_file]

**3. Restart Service**
sudo systemctl restart wg
sudo systemctl status wg