Networking

Published on October 6th, 2017 | by Manisha Gehlot

9

How to setup WireGuard VPN on your Debian GNU/Linux server with IPv6 support?

This is comprehensive guide to configure a WireGuard VPN server on Debian Jessie or newer GNU/Linux distribution. Although, I am going to use my favorite Debian Stable for this guide but it would equally work for derivatives including but not limited to Ubuntu.

For those who don’t know, WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than other VPN protocols including but not limited to OpenVPN and IPSec. As you probably know, WireGuard is not stable and being heavily developed as we speak, but even in its unoptimized state it is up to four times fast than popular OpenVPN protocol and delivers much lower ping time in comparison.

WireGuard aims to be as simple to configure as SSH. A connection is established by an exchange of public keys between server and client just like SSH keys and only a client with its public key present in server configuration file would be authorized.

More information can be found at https://www.wireguard.com/

Prerequisites:

  • A high performance Linux server with a Public IPv4 and IPv6 address on NIC
  • Root or sudo access to the same.
  • SSH client like OpenSSH

Let’s roll.

A. SSH into your Linux server

Login into your Linux server with root or an user account with sudo access as follows:

Depending on the SSH authentication scheme you have configured, you may be prompted for password or to confirm the keys.

B. Installing latest WireGuard from Debian unstable’s repo

C. WireGuard VPN server configuration

All the configurations for WireGuard VPN server are stored in a file at /etc/wireguard/wg0.conf, it need not be called wg0.conf, it could be server.conf or udp.conf.

I have written a model server configuration file wg0.conf for you already and we would discuss the same below. I would be explaining every line to you and also provide you with additional commands (not part and parcel of wg0.conf) required for a particular option to work, if any.

Without wasting any further time, let’s begin with the server configuration file now.

You are advised to read the manual of wg-quick and wg command, as it is used a lot in the guide.

Let’s start by generating private key for WireGuard server. The below command prints a private key.

wg0.conf begins here

Defines tunnel interface and specifies WireGuard server’s private key generated above.

Address sets private IPv4 and IPv6 addresses for WireGuard server to be setup behind public IP of Linux server. ListenPort specifies UDP port our VPN server would use to listen for connections.

PostUp and PostDown sets Linux IP Masquerade rules respectively to allow all the clients to share Linux server’s Internet IPv4 and IPv6 address and clear the rules once the tunnel is down, keeping the tables neat and tidy. SaveConfig saves anything added while the tunnel is up and running like a newly added client to server configuration file.

D. Packet forwarding, firewall rules and more

Packet forwarding

Packing forwarding is required to forward traffic from clients to the Internet.

Edit /etc/sysctl.conf as follows:

Look for following entries and uncomment them by removing a ‘#’ in beginning.

Save, exit and then enable it as follows:

Firewall rules

Configuring a firewall is a must to prevent unauthorized access to your VPS. I have used ufw, which is a popular and easy to use front-end for iptables.

Lets start by installing it

Allowing connections to SSH and WireGuard VPN port in ufw before enabling it:

Enabling ufw with ufw enable, would give you a warning, “Command may disrupt existing ssh connections. Proceed with operation (y|n)?”

Type y without any hesitation.

Once enabled verify it with the following command:

E. Starting WireGuard VPN server and enabling it to run on reboot

You can check if the VPN tunnel is running as follows:

wg show shows server’s public key in the output, kindly make a note of it as we would require it for the client configuration file.

Hurrah! Done with WireGuard VPN server-side setup.

F. WireGuard VPN Client configuration

This is to be done on a local client machine with Debian GNU/Linux or its derivatives and other GNU/Linux distributions. Installation of WireGuard on Debian GNU/Linux client machine is exactly the same as we did in the para B above. For other linux distributions please refer to, https://www.wireguard.com/install/.

A model client configuration file client.conf is made available below. All the options used therein are either similar to server configuration above or self-explanatory, still refer to the manual whenever required.

Before we move to configuration file, lets generate key pair for the client using wg command as follows:

It would generate and store your public and private key in publickey and privatekey text files respectively.

Moving to client.conf

Save the above as client.conf in /etc/wireguard/ directory of your local machine after fixing the PrivateKey of client, PublicKey of server and Endpoint IP or Public IP of your Linux server.

G. Adding WireGuard client(s) to VPN server on Linux server

Next we add a client or peer on VPN server by executing the following wg command on Linux server:

A newly added client can be verified on Linux server by executing wg show command. Any number of clients with their respective public key can be added while tunnel or VPN server is up and running! SaveConfig entry added to server configuration above writes it to wg0.conf when the VPN server is brought down for any reason.

More clients can be added similarly:

Job on WireGuard VPN server is done here. You may close your active SSH connection to it, if any.

H. Connecting to WireGuard VPN server from a local machine

Connect to your WireGuard VPN server on GNU/Linux client as follows to test your VPN setup for 1st time:

wg-quick command is a script that looks for client.conf in /etc/wireguard/ and use wg command to setup your VPN connection on local machine in seconds.

Verify the connection with wg command and by pinging server’s Interface IP as follows:

Upon successful connection last two lines of the output of above sudo wg should look as follows:

Visit a website like https://duckduckgo.com/IP_Address or https://ipchicken.com to check your IP, if it is your Linux server’s public IP then you did it! Also visit https://ipv6.google.com to ensure that you have IPv6 connectivity.

As of now, WireGuard is only supported on GNU/Linux because support on more platforms is expected. Although, current linux based embedded devices like routers can expect huge performance boost vs other prominent VPN protocols like OpenVPN.

Finally! We have successfully hosted a secure, modern and fast VPN server based on WireGuard VPN on a Linux server not just for you but even for your loved ones.


For any issues, suggestions or further help, you are free to comment.

Thanks for reading!

Like this post? Share with your friends.
Share on Facebook
Facebook
2Tweet about this on Twitter
Twitter
Share on Google+
Google+
0Share on LinkedIn
Linkedin
Share on Reddit
Reddit
0Share on Tumblr
Tumblr
0Share on VK
VK
Email this to someone
email

Tags: , , ,


About the Author

I am a privacy, security, encryption and software freedom enthusiast. I am into VPNs, TLS security. Recently I also got into technical writings. I am working as a VPN support and consultant at some nordic VPN providers.



9 Responses to How to setup WireGuard VPN on your Debian GNU/Linux server with IPv6 support?

  1. t. says:

    How about using a real ipv6 address, so that you would have a dual-stack on wireguard.

    That would require an extra line, using ip6tables.

    fd86: is just a link-local ipv6 ip.

  2. Manisha Gehlot says:

    This is a dual stack setup only. Just that I am setting up a NAT for IPv6 too as most of the VPS providers till date do not offer an extra routed IPv6 netblock. So, I wrote it such that even guys with VPS having a single IPv4+v6 address on main NIC can get IPv6 support for every VPN client along with IPv4 behind NAT.

    That being so, you can modify the setup however you like. Suit yourself. 😀

  3. Bhekzinto says:

    Doesn’t work on Debian Stretch. Error: Unable to get device: Protocol not supported

  4. Will says:

    It works on gcp, thanks! Question, I’m creating multiple client.conf files and don’t know enough about ivp6 to increment it. How do I increment on top of the first one you gave, fd86:ea04:1115::5/64 .

  5. James says:

    I’m also on Debian Stretch and this doesn’t completely work, only ipv6 traffic gets through. Firstly, my server is behind a NAT so remember to poke a UDP hole in your NAT pointing to your server on port 51820. After doing that, `ping 10.0.0.1` works and `wg` shows that the machines are talking through wireguard. However, if I try to go to an ipv4 website the browser hangs. Interestingly, if I try going to ipv6.google.com it works and I can search normally. Of course most sites don’t support ipv6 to this is highly limiting. Do you know any reason why ipv4 would be not getting through but ipv6 would?

Leave a Reply to James Cancel reply

Your email address will not be published. Required fields are marked *

Back to Top ↑