# WireGuard VPN Setup for Debian 13 ## Overview Personal WireGuard VPN server with IPv4/IPv6 support, client management via `/etc/wireguard/peer.d/`, designed for 1 CPU / 1GB RAM VPS. ## Configuration - **Server Domain**: velkhana.calmcacil.dev - **Port**: 51820 - **VPN IPv4 Range**: 10.10.69.0/24 - **VPN IPv6 Range**: fd69:dead:beef:69::/64 - **DNS**: 8.8.8.8, 8.8.4.4 (Google) - **Server-side peer configs**: /etc/wireguard/peer.d/*.conf (loaded dynamically) - **Client-side configs**: /etc/wireguard/clients/*.conf (for distribution) ## Installation ### 1. Upload files to VPS ```bash scp install-wireguard.sh wg-client-manager calmcacil@velkhana.calmcacil.dev:~/ ``` ### 2. Run installation ```bash chmod +x ~/install-wireguard.sh ~/wg-client-manager sudo ~/install-wireguard.sh ``` ### 3. Install client manager ```bash sudo mv ~/wg-client-manager /usr/local/sbin/ sudo chmod +x /usr/local/sbin/wg-client-manager ``` ## Usage ### Dynamic client loading WireGuard automatically loads clients from `/etc/wireguard/peer.d/`: - Add/remove client configs in `/etc/wireguard/peer.d/*.conf` - Run `sudo /usr/local/sbin/wg-load-clients` to reload - Changes are applied immediately without restarting ### Add a new client ```bash sudo /usr/local/sbin/wg-client-manager add myphone ``` This creates: - Server config in `/etc/wireguard/peer.d/myphone.conf` - Client config in `/etc/wireguard/clients/myphone.conf` - QR code in `/etc/wireguard/clients/myphone.qr` ### List all clients ```bash sudo /usr/local/sbin/wg-client-manager list ``` ### Show client config ```bash sudo /usr/local/sbin/wg-client-manager show myphone ``` ### Show QR code ```bash sudo /usr/local/sbin/wg-client-manager qr myphone ``` ### Remove a client ```bash sudo /usr/local/sbin/wg-client-manager remove myphone ``` ## Server Management ### Check WireGuard status ```bash sudo wg show ``` ### Check service status ```bash sudo systemctl status wg-quick@wg0 ``` ### Restart WireGuard ```bash sudo systemctl restart wg-quick@wg0 ``` ### Reload clients (automatic on add/remove) ```bash sudo /usr/local/sbin/wg-load-clients ``` ### Firewall management The setup configures nftables with: - Dual-stack IPv4/IPv6 support in a single ruleset - Default drop incoming, accept outgoing - SSH access allowed (port 22) - WireGuard allowed (UDP 51820) - Forwarding from wg0 interface allowed - NAT masquerade for VPN internet access View firewall rules: ```bash sudo nft list ruleset ``` Enable/disable firewall: ```bash sudo nftables-firewall disable sudo nftables-firewall enable ``` Allow additional ports if needed: ```bash sudo nftables-firewall allow 80/tcp # HTTP sudo nftables-firewall allow 443/tcp # HTTPS ``` ## Manual Client Configuration To manually add a client, create a file in `/etc/wireguard/peer.d/`: ```ini [Peer] # mydevice PublicKey = AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128 ``` Then run: ```bash sudo /usr/local/sbin/wg-load-clients ``` ## Client Setup ### Importing the config - **Desktop**: Import `/etc/wireguard/clients/.conf` into WireGuard app - **Mobile**: Scan QR code with WireGuard app, or import config file ### Test connectivity ```bash # On client ping 10.10.69.1 ping -6 fd69:dead:beef:69::1 # Check your IP curl -4 https://ifconfig.me curl -6 https://ifconfig.me ``` ## Troubleshooting ### Check firewall ```bash sudo nft list ruleset ``` ### Check IP forwarding ```bash sysctl net.ipv4.ip_forward sysctl net.ipv6.conf.all.forwarding ``` ### View logs ```bash sudo journalctl -u wg-quick@wg0 -f ``` ### Check client directory ```bash ls -la /etc/wireguard/peer.d/ ``` ### Manual reload if needed ```bash sudo /usr/local/sbin/wg-load-clients ``` ## Notes - `/etc/wireguard/peer.d/` - Server-side peer configs, loaded automatically by wg-load-clients - `/etc/wireguard/clients/` - Client-side configs (import to WireGuard apps) and QR codes - Clients are automatically reloaded when added/removed - IPv4 and IPv6 NAT are configured (MASQUERADE) - nftables firewall is configured with dual-stack IPv4/IPv6 support - Single nftables ruleset handles both IPv4 and IPv6 - SSH (port 22) and WireGuard (UDP 51820) are allowed by default - Keepalive is set to 25 seconds for better stability - Server private keys are stored in `/etc/wireguard/server_private.key` - Server public key is displayed after installation - Use `nftables-firewall` script for easy firewall management