WireGuard VPN Setup for Debian 13
Overview
Personal WireGuard VPN server with IPv4/IPv6 support, client management via wireguard.sh, designed for 1 CPU / 1GB RAM VPS.
Configuration
- Server Domain: velkhana.calmcacil.dev
- Port: 51820
- VPN IPv4 Range: 10.10.69.0/24
- VPN IPv6 Range: fd69:dead:beef:69::/64
- DNS: 8.8.8.8, 8.8.4.4 (Google)
- Server-side peer configs: /etc/wireguard/conf.d/client-*.conf (loaded dynamically)
- Client-side configs: /etc/wireguard/clients/*.conf (for distribution)
Installation
1. Upload script to VPS
scp wireguard.sh calmcacil@velkhana.calmcacil.dev:~/
2. Run installation
chmod +x ~/wireguard.sh
sudo ~/wireguard.sh install
Usage
Dynamic client loading
WireGuard automatically loads clients from /etc/wireguard/conf.d/:
- Add/remove client configs in
/etc/wireguard/conf.d/client-*.conf - Run
sudo ~/wireguard.sh load-clientsto reload - Changes are applied immediately without restarting
Add a new client
sudo ~/wireguard.sh add myphone
This creates:
- Server config in
/etc/wireguard/conf.d/client-myphone.conf - Client config in
/etc/wireguard/clients/myphone.conf - QR code in
/etc/wireguard/clients/myphone.qr
List all clients
sudo ~/wireguard.sh list
Show client config
sudo ~/wireguard.sh show myphone
Show QR code
sudo ~/wireguard.sh qr myphone
Remove a client
sudo ~/wireguard.sh remove myphone
Server Management
Check WireGuard status
sudo wg show
Check service status
sudo systemctl status wg-quick@wg0
Restart WireGuard
sudo systemctl restart wg-quick@wg0
Reload clients (automatic on add/remove)
sudo ~/wireguard.sh load-clients
Firewall management
The setup configures nftables with:
- Dual-stack IPv4/IPv6 support in a single ruleset
- Default drop incoming, accept outgoing
- SSH access allowed (port 22)
- WireGuard allowed (UDP 51820)
- Forwarding from wg0 interface allowed
- NAT masquerade for VPN internet access
View firewall rules:
sudo nft list ruleset
Reload firewall:
sudo nft -f /etc/nftables.conf
Note: nftables rules are automatically loaded on boot by the nftables service from /etc/nftables.conf. No manual intervention required after reboot.
Allow additional ports if needed:
sudo nft add rule inet wireguard input tcp dport 80 accept # HTTP
sudo nft add rule inet wireguard input tcp dport 443 accept # HTTPS
Manual Client Configuration
To manually add a client, create a file in /etc/wireguard/conf.d/:
[Peer]
# mydevice
PublicKey = <client_public_key>
AllowedIPs = 10.10.69.2/32, fd69:dead:beef:69::2/128
Then run:
sudo ~/wireguard.sh load-clients
Client Setup
Importing the config
- Desktop: Import
/etc/wireguard/clients/<name>.confinto WireGuard app - Mobile: Scan QR code with WireGuard app, or import config file
Test connectivity
# On client
ping 10.10.69.1
ping -6 fd69:dead:beef:69::1
# Check your IP
curl -4 https://ifconfig.me
curl -6 https://ifconfig.me
Troubleshooting
Check firewall
sudo nft list ruleset
Check IP forwarding
sysctl net.ipv4.ip_forward
sysctl net.ipv6.conf.all.forwarding
View logs
sudo journalctl -u wg-quick@wg0 -f
Check client directory
ls -la /etc/wireguard/conf.d/
Manual reload if needed
sudo ~/wireguard.sh load-clients
Notes
/etc/wireguard/conf.d/- Server-side peer configs, loaded automatically by wireguard.sh/etc/wireguard/clients/- Client-side configs (import to WireGuard apps) and QR codes- Clients are automatically reloaded when added/removed
- IPv4 and IPv6 NAT are configured (MASQUERADE)
- nftables firewall is configured with dual-stack IPv4/IPv6 support
- Single nftables ruleset handles both IPv4 and IPv6
- SSH (port 22) and WireGuard (UDP 51820) are allowed by default
- Keepalive is set to 25 seconds for better stability
- Server private keys are stored in
/etc/wireguard/server_private.key - Server public key is displayed after installation