# WireGuard VPN Setup for Debian 13 ## Overview Personal WireGuard VPN server with IPv4/IPv6 support, client management via `wireguard.sh`, designed for 1 CPU / 1GB RAM VPS. ## Configuration - **Server Domain**: velkhana.calmcacil.dev - **Port**: 51820 - **VPN IPv4 Range**: 10.10.69.0/24 - **VPN IPv6 Range**: fd69:dead:beef:69::/64 - **DNS**: 8.8.8.8, 8.8.4.4 (Google) - **Server-side peer configs**: /etc/wireguard/conf.d/client-*.conf (loaded dynamically) - **Client-side configs**: /etc/wireguard/clients/*.conf (for distribution) ## Installation ### 1. Upload script to VPS ```bash scp wireguard.sh calmcacil@velkhana.calmcacil.dev:~/ ``` ### 2. Run installation ```bash chmod +x ~/wireguard.sh sudo ~/wireguard.sh install ``` ## Usage ### Dynamic client loading WireGuard automatically loads clients from `/etc/wireguard/conf.d/`: - Add/remove client configs in `/etc/wireguard/conf.d/client-*.conf` - Run `sudo ~/wireguard.sh load-clients` to reload - Changes are applied immediately without restarting ### Add a new client ```bash sudo ~/wireguard.sh add myphone ``` This creates: - Server config in `/etc/wireguard/conf.d/client-myphone.conf` - Client config in `/etc/wireguard/clients/myphone.conf` - QR code in `/etc/wireguard/clients/myphone.qr` ### List all clients ```bash sudo ~/wireguard.sh list ``` ### Show client config ```bash sudo ~/wireguard.sh show myphone ``` ### Show QR code ```bash sudo ~/wireguard.sh qr myphone ``` ### Remove a client ```bash sudo ~/wireguard.sh remove myphone ``` ## Server Management ### Check WireGuard status ```bash sudo wg show ``` ### Check service status ```bash sudo systemctl status wg-quick@wg0 ``` ### Restart WireGuard ```bash sudo systemctl restart wg-quick@wg0 ``` ### Reload clients (automatic on add/remove) ```bash sudo ~/wireguard.sh load-clients ``` ### Firewall management The setup configures nftables with: - Dual-stack IPv4/IPv6 support in a single ruleset - Default drop incoming, accept outgoing - SSH access allowed (port 22) - WireGuard allowed (UDP 51820) - Forwarding from wg0 interface allowed - NAT masquerade for VPN internet access View firewall rules: ```bash sudo nft list ruleset ``` Reload firewall: ```bash sudo nft -f /etc/nftables.conf ``` **Note**: nftables rules are automatically loaded on boot by the nftables service from `/etc/nftables.conf`. No manual intervention required after reboot. Allow additional ports if needed: ```bash sudo nft add rule inet wireguard input tcp dport 80 accept # HTTP sudo nft add rule inet wireguard input tcp dport 443 accept # HTTPS ``` ## Manual Client Configuration To manually add a client, create a file in `/etc/wireguard/conf.d/`: ```ini [Peer] # mydevice PublicKey = AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128 ``` Then run: ```bash sudo ~/wireguard.sh load-clients ``` ## Client Setup ### Importing the config - **Desktop**: Import `/etc/wireguard/clients/.conf` into WireGuard app - **Mobile**: Scan QR code with WireGuard app, or import config file ### Test connectivity ```bash # On client ping 10.10.69.1 ping -6 fd69:dead:beef:69::1 # Check your IP curl -4 https://ifconfig.me curl -6 https://ifconfig.me ``` ## Troubleshooting ### Check firewall ```bash sudo nft list ruleset ``` ### Check IP forwarding ```bash sysctl net.ipv4.ip_forward sysctl net.ipv6.conf.all.forwarding ``` ### View logs ```bash sudo journalctl -u wg-quick@wg0 -f ``` ### Check client directory ```bash ls -la /etc/wireguard/conf.d/ ``` ### Manual reload if needed ```bash sudo ~/wireguard.sh load-clients ``` ## Notes - `/etc/wireguard/conf.d/` - Server-side peer configs, loaded automatically by wireguard.sh - `/etc/wireguard/clients/` - Client-side configs (import to WireGuard apps) and QR codes - Clients are automatically reloaded when added/removed - IPv4 and IPv6 NAT are configured (MASQUERADE) - nftables firewall is configured with dual-stack IPv4/IPv6 support - Single nftables ruleset handles both IPv4 and IPv6 - SSH (port 22) and WireGuard (UDP 51820) are allowed by default - Keepalive is set to 25 seconds for better stability - Server private keys are stored in `/etc/wireguard/server_private.key` - Server public key is displayed after installation