Calmcacil/wg-admin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
4 Commits 2 Branches 0 Tags
0be89f10a13dcf81d879ee1eceb798597093e302
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Calmcacil 0be89f10a1 Fix firewall rules not loading on reboot 
- Enable and start nftables service during installation
- Create /etc/nftables.conf that includes /etc/nftables.d/wireguard.conf
- nftables service now loads firewall rules automatically on boot
- Update documentation to reflect proper configuration file paths
- Remove historical VALIDATION.md document
- Clean up documentation references to non-existent scripts

Closes #1
2026-01-12 16:13:12 +01:00
.beads
bd sync: 2026-01-12 16:03:21
2026-01-12 16:03:21 +01:00
.gitattributes
Fix firewall rules not loading on reboot
2026-01-12 16:13:12 +01:00
AGENTS.md
Fix firewall rules not loading on reboot
2026-01-12 16:13:12 +01:00
FIREWALL.md
Fix firewall rules not loading on reboot
2026-01-12 16:13:12 +01:00
README.md
Fix firewall rules not loading on reboot
2026-01-12 16:13:12 +01:00
wireguard.sh
Fix firewall rules not loading on reboot
2026-01-12 16:13:12 +01:00

README.md

WireGuard VPN Setup for Debian 13

Overview

Personal WireGuard VPN server with IPv4/IPv6 support, client management via wireguard.sh, designed for 1 CPU / 1GB RAM VPS.

Configuration

  • Server Domain: velkhana.calmcacil.dev
  • Port: 51820
  • VPN IPv4 Range: 10.10.69.0/24
  • VPN IPv6 Range: fd69:dead:beef:69::/64
  • DNS: 8.8.8.8, 8.8.4.4 (Google)
  • Server-side peer configs: /etc/wireguard/conf.d/client-*.conf (loaded dynamically)
  • Client-side configs: /etc/wireguard/clients/*.conf (for distribution)

Installation

1. Upload script to VPS

scp wireguard.sh calmcacil@velkhana.calmcacil.dev:~/

2. Run installation

chmod +x ~/wireguard.sh
sudo ~/wireguard.sh install

Usage

Dynamic client loading

WireGuard automatically loads clients from /etc/wireguard/conf.d/:

  • Add/remove client configs in /etc/wireguard/conf.d/client-*.conf
  • Run sudo ~/wireguard.sh load-clients to reload
  • Changes are applied immediately without restarting

Add a new client

sudo ~/wireguard.sh add myphone

This creates:

  • Server config in /etc/wireguard/conf.d/client-myphone.conf
  • Client config in /etc/wireguard/clients/myphone.conf
  • QR code in /etc/wireguard/clients/myphone.qr

List all clients

sudo ~/wireguard.sh list

Show client config

sudo ~/wireguard.sh show myphone

Show QR code

sudo ~/wireguard.sh qr myphone

Remove a client

sudo ~/wireguard.sh remove myphone

Server Management

Check WireGuard status

sudo wg show

Check service status

sudo systemctl status wg-quick@wg0

Restart WireGuard

sudo systemctl restart wg-quick@wg0

Reload clients (automatic on add/remove)

sudo ~/wireguard.sh load-clients

Firewall management

The setup configures nftables with:

  • Dual-stack IPv4/IPv6 support in a single ruleset
  • Default drop incoming, accept outgoing
  • SSH access allowed (port 22)
  • WireGuard allowed (UDP 51820)
  • Forwarding from wg0 interface allowed
  • NAT masquerade for VPN internet access

View firewall rules:

sudo nft list ruleset

Reload firewall:

sudo nft -f /etc/nftables.conf

Note: nftables rules are automatically loaded on boot by the nftables service from /etc/nftables.conf. No manual intervention required after reboot.

Allow additional ports if needed:

sudo nft add rule inet wireguard input tcp dport 80 accept    # HTTP
sudo nft add rule inet wireguard input tcp dport 443 accept   # HTTPS

Manual Client Configuration

To manually add a client, create a file in /etc/wireguard/conf.d/:

[Peer]
# mydevice
PublicKey = <client_public_key>
AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128

Then run:

sudo ~/wireguard.sh load-clients

Client Setup

Importing the config

  • Desktop: Import /etc/wireguard/clients/<name>.conf into WireGuard app
  • Mobile: Scan QR code with WireGuard app, or import config file

Test connectivity

# On client
ping 10.10.69.1
ping -6 fd69:dead:beef:69::1

# Check your IP
curl -4 https://ifconfig.me
curl -6 https://ifconfig.me

Troubleshooting

Check firewall

sudo nft list ruleset

Check IP forwarding

sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding

View logs

sudo journalctl -u wg-quick@wg0 -f

Check client directory

ls -la /etc/wireguard/conf.d/

Manual reload if needed

sudo ~/wireguard.sh load-clients

Notes

  • /etc/wireguard/conf.d/ - Server-side peer configs, loaded automatically by wireguard.sh
  • /etc/wireguard/clients/ - Client-side configs (import to WireGuard apps) and QR codes
  • Clients are automatically reloaded when added/removed
  • IPv4 and IPv6 NAT are configured (MASQUERADE)
  • nftables firewall is configured with dual-stack IPv4/IPv6 support
  • Single nftables ruleset handles both IPv4 and IPv6
  • SSH (port 22) and WireGuard (UDP 51820) are allowed by default
  • Keepalive is set to 25 seconds for better stability
  • Server private keys are stored in /etc/wireguard/server_private.key
  • Server public key is displayed after installation
Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 1.1 MiB
Languages
Shell 100%