First commit
This commit is contained in:
Calmcacil
191
README.md
Normal file
191
README.md
Normal file
@@ -0,0 +1,191 @@
|
||||
# WireGuard VPN Setup for Debian 13
|
||||
|
||||
## Overview
|
||||
Personal WireGuard VPN server with IPv4/IPv6 support, client management via `/etc/wireguard/peer.d/`, designed for 1 CPU / 1GB RAM VPS.
|
||||
|
||||
## Configuration
|
||||
- **Server Domain**: velkhana.calmcacil.dev
|
||||
- **Port**: 51820
|
||||
- **VPN IPv4 Range**: 10.10.69.0/24
|
||||
- **VPN IPv6 Range**: fd69:dead:beef:69::/64
|
||||
- **DNS**: 8.8.8.8, 8.8.4.4 (Google)
|
||||
- **Server-side peer configs**: /etc/wireguard/peer.d/*.conf (loaded dynamically)
|
||||
- **Client-side configs**: /etc/wireguard/clients/*.conf (for distribution)
|
||||
|
||||
## Installation
|
||||
|
||||
### 1. Upload files to VPS
|
||||
```bash
|
||||
scp install-wireguard.sh wg-client-manager calmcacil@velkhana.calmcacil.dev:~/
|
||||
```
|
||||
|
||||
### 2. Run installation
|
||||
```bash
|
||||
chmod +x ~/install-wireguard.sh ~/wg-client-manager
|
||||
sudo ~/install-wireguard.sh
|
||||
```
|
||||
|
||||
### 3. Install client manager
|
||||
```bash
|
||||
sudo mv ~/wg-client-manager /usr/local/sbin/
|
||||
sudo chmod +x /usr/local/sbin/wg-client-manager
|
||||
```
|
||||
|
||||
## Usage
|
||||
|
||||
### Dynamic client loading
|
||||
WireGuard automatically loads clients from `/etc/wireguard/peer.d/`:
|
||||
- Add/remove client configs in `/etc/wireguard/peer.d/*.conf`
|
||||
- Run `sudo /usr/local/sbin/wg-load-clients` to reload
|
||||
- Changes are applied immediately without restarting
|
||||
|
||||
### Add a new client
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-client-manager add myphone
|
||||
```
|
||||
This creates:
|
||||
- Server config in `/etc/wireguard/peer.d/myphone.conf`
|
||||
- Client config in `/etc/wireguard/clients/myphone.conf`
|
||||
- QR code in `/etc/wireguard/clients/myphone.qr`
|
||||
|
||||
### List all clients
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-client-manager list
|
||||
```
|
||||
|
||||
### Show client config
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-client-manager show myphone
|
||||
```
|
||||
|
||||
### Show QR code
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-client-manager qr myphone
|
||||
```
|
||||
|
||||
### Remove a client
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-client-manager remove myphone
|
||||
```
|
||||
|
||||
## Server Management
|
||||
|
||||
### Check WireGuard status
|
||||
```bash
|
||||
sudo wg show
|
||||
```
|
||||
|
||||
### Check service status
|
||||
```bash
|
||||
sudo systemctl status wg-quick@wg0
|
||||
```
|
||||
|
||||
### Restart WireGuard
|
||||
```bash
|
||||
sudo systemctl restart wg-quick@wg0
|
||||
```
|
||||
|
||||
### Reload clients (automatic on add/remove)
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-load-clients
|
||||
```
|
||||
|
||||
### Firewall management
|
||||
The setup configures nftables with:
|
||||
- Dual-stack IPv4/IPv6 support in a single ruleset
|
||||
- Default drop incoming, accept outgoing
|
||||
- SSH access allowed (port 22)
|
||||
- WireGuard allowed (UDP 51820)
|
||||
- Forwarding from wg0 interface allowed
|
||||
- NAT masquerade for VPN internet access
|
||||
|
||||
View firewall rules:
|
||||
```bash
|
||||
sudo nft list ruleset
|
||||
```
|
||||
|
||||
Enable/disable firewall:
|
||||
```bash
|
||||
sudo nftables-firewall disable
|
||||
sudo nftables-firewall enable
|
||||
```
|
||||
|
||||
Allow additional ports if needed:
|
||||
```bash
|
||||
sudo nftables-firewall allow 80/tcp # HTTP
|
||||
sudo nftables-firewall allow 443/tcp # HTTPS
|
||||
```
|
||||
|
||||
## Manual Client Configuration
|
||||
|
||||
To manually add a client, create a file in `/etc/wireguard/peer.d/`:
|
||||
|
||||
```ini
|
||||
[Peer]
|
||||
# mydevice
|
||||
PublicKey = <client_public_key>
|
||||
AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128
|
||||
```
|
||||
|
||||
Then run:
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-load-clients
|
||||
```
|
||||
|
||||
## Client Setup
|
||||
|
||||
### Importing the config
|
||||
- **Desktop**: Import `/etc/wireguard/clients/<name>.conf` into WireGuard app
|
||||
- **Mobile**: Scan QR code with WireGuard app, or import config file
|
||||
|
||||
### Test connectivity
|
||||
```bash
|
||||
# On client
|
||||
ping 10.10.69.1
|
||||
ping -6 fd69:dead:beef:69::1
|
||||
|
||||
# Check your IP
|
||||
curl -4 https://ifconfig.me
|
||||
curl -6 https://ifconfig.me
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### Check firewall
|
||||
```bash
|
||||
sudo nft list ruleset
|
||||
```
|
||||
|
||||
### Check IP forwarding
|
||||
```bash
|
||||
sysctl net.ipv4.ip_forward
|
||||
sysctl net.ipv6.conf.all.forwarding
|
||||
```
|
||||
|
||||
### View logs
|
||||
```bash
|
||||
sudo journalctl -u wg-quick@wg0 -f
|
||||
```
|
||||
|
||||
### Check client directory
|
||||
```bash
|
||||
ls -la /etc/wireguard/peer.d/
|
||||
```
|
||||
|
||||
### Manual reload if needed
|
||||
```bash
|
||||
sudo /usr/local/sbin/wg-load-clients
|
||||
```
|
||||
|
||||
## Notes
|
||||
- `/etc/wireguard/peer.d/` - Server-side peer configs, loaded automatically by wg-load-clients
|
||||
- `/etc/wireguard/clients/` - Client-side configs (import to WireGuard apps) and QR codes
|
||||
- Clients are automatically reloaded when added/removed
|
||||
- IPv4 and IPv6 NAT are configured (MASQUERADE)
|
||||
- nftables firewall is configured with dual-stack IPv4/IPv6 support
|
||||
- Single nftables ruleset handles both IPv4 and IPv6
|
||||
- SSH (port 22) and WireGuard (UDP 51820) are allowed by default
|
||||
- Keepalive is set to 25 seconds for better stability
|
||||
- Server private keys are stored in `/etc/wireguard/server_private.key`
|
||||
- Server public key is displayed after installation
|
||||
- Use `nftables-firewall` script for easy firewall management
|
||||
Reference in New Issue
Block a user